From: Laurent Bigonville <[email protected]>
Fix dbus_all_session_domain(), session_bus_type is an attribute not a
type
---
dbus.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dbus.if b/dbus.if
index 62d22cb..d3036c6 100644
--- a/dbus.if
+++ b/dbus.if
@@ -426,7 +426,7 @@ interface(`dbus_session_domain',`
#
interface(`dbus_all_session_domain',`
gen_require(`
- type session_bus_type;
+ attribute session_bus_type;
')
domtrans_pattern(session_bus_type, $2, $1)
--
1.9.2
From: Laurent Bigonville <[email protected]>
Allow the caller to transition to all the gkeyringd domains
---
gnome.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/gnome.if b/gnome.if
index 112d33b..118ee01 100644
--- a/gnome.if
+++ b/gnome.if
@@ -671,6 +671,26 @@ interface(`gnome_dbus_chat_all_gkeyringd',`
########################################
## <summary>
+## Run all gkeyringd in gkeyringd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_spec_domtrans_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
## Connect to gnome keyring daemon
## with a unix stream socket.
## </summary>
--
1.9.2
From: Laurent Bigonville <[email protected]>
Change the order of the parameters for the calls to
dbus_spec_session_domain() interface.
For consistancy with the other dbus interfaces and the backward
compatibility, we consider that the description was correct and we
change the callers instead.
The order of the parameter for this interface is the following:
dbus_spec_session_domain(role_prefix, domain, entry_point)
---
dbus.if | 2 +-
gnome.if | 2 +-
obex.if | 2 +-
telepathy.if | 18 +++++++++---------
4 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/dbus.if b/dbus.if
index d3036c6..c3f2118 100644
--- a/dbus.if
+++ b/dbus.if
@@ -463,7 +463,7 @@ interface(`dbus_spec_session_domain',`
type $1_dbusd_t;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
+ domtrans_pattern($1_dbusd_t, $3, $2)
dbus_spec_session_bus_client($1, $2)
dbus_connect_spec_session_bus($1, $2)
diff --git a/gnome.if b/gnome.if
index ab09d61..112d33b 100644
--- a/gnome.if
+++ b/gnome.if
@@ -109,7 +109,7 @@ template(`gnome_role_template',`
gnome_stream_connect_gkeyringd($1, $3)
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
gnome_dbus_chat_gkeyringd($1, $3)
diff --git a/obex.if b/obex.if
index 8635ea2..410c0e8 100644
--- a/obex.if
+++ b/obex.if
@@ -42,7 +42,7 @@ template(`obex_role_template',`
allow $3 obex_t:process { ptrace signal_perms };
ps_process_pattern($3, obex_t)
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
+ dbus_spec_session_domain($1, obex_t, obex_exec_t)
obex_dbus_chat($3)
')
diff --git a/telepathy.if b/telepathy.if
index 42946bc..0d58469 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -78,15 +78,15 @@ template(`telepathy_role_template',`
telepathy_msn_stream_connect($3)
telepathy_salut_stream_connect($3)
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+ dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t)
+ dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t)
+ dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t)
+ dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t)
+ dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t)
+ dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t)
+ dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t)
+ dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
+ dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
--
1.9.2
From: Laurent Bigonville <[email protected]>
Keep the same regex expression as for the other filecontexts
---
exim.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/exim.fc b/exim.fc
index 9df498d..48abe95 100644
--- a/exim.fc
+++ b/exim.fc
@@ -1,4 +1,4 @@
-/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
--
1.9.2
From: Laurent Bigonville <[email protected]>
Allow gconfd to be started by the session bus and make it transition to
its own domain.
It also connects to the system bus to listen to signals from
org.gnome.GConf.Defaults interface
---
gnome.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gnome.te b/gnome.te
index 5e3c10b..a913899 100644
--- a/gnome.te
+++ b/gnome.te
@@ -91,6 +91,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
+ dbus_all_session_domain(gconfd_t, gconfd_exec_t)
+
+ dbus_system_bus_client(gconfd_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
')
--
1.9.2
On 04/11/2014 01:27 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Fix dbus_all_session_domain(), session_bus_type is an attribute not a
> type
> ---
> dbus.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/dbus.if b/dbus.if
> index 62d22cb..d3036c6 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -426,7 +426,7 @@ interface(`dbus_session_domain',`
> #
> interface(`dbus_all_session_domain',`
> gen_require(`
> - type session_bus_type;
> + attribute session_bus_type;
> ')
>
> domtrans_pattern(session_bus_type, $2, $1)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/2014 01:27 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Allow gconfd to be started by the session bus and make it transition to
> its own domain.
>
> It also connects to the system bus to listen to signals from
> org.gnome.GConf.Defaults interface
> ---
> gnome.te | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/gnome.te b/gnome.te
> index 5e3c10b..a913899 100644
> --- a/gnome.te
> +++ b/gnome.te
> @@ -91,6 +91,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>
> optional_policy(`
> + dbus_all_session_domain(gconfd_t, gconfd_exec_t)
> +
> + dbus_system_bus_client(gconfd_t)
> +')
> +
> +optional_policy(`
> nscd_dontaudit_search_pid(gconfd_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/2014 01:27 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Change the order of the parameters for the calls to
> dbus_spec_session_domain() interface.
>
> For consistancy with the other dbus interfaces and the backward
> compatibility, we consider that the description was correct and we
> change the callers instead.
>
> The order of the parameter for this interface is the following:
> dbus_spec_session_domain(role_prefix, domain, entry_point)
Merged.
> ---
> dbus.if | 2 +-
> gnome.if | 2 +-
> obex.if | 2 +-
> telepathy.if | 18 +++++++++---------
> 4 files changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/dbus.if b/dbus.if
> index d3036c6..c3f2118 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -463,7 +463,7 @@ interface(`dbus_spec_session_domain',`
> type $1_dbusd_t;
> ')
>
> - domtrans_pattern($1_dbusd_t, $2, $3)
> + domtrans_pattern($1_dbusd_t, $3, $2)
>
> dbus_spec_session_bus_client($1, $2)
> dbus_connect_spec_session_bus($1, $2)
> diff --git a/gnome.if b/gnome.if
> index ab09d61..112d33b 100644
> --- a/gnome.if
> +++ b/gnome.if
> @@ -109,7 +109,7 @@ template(`gnome_role_template',`
> gnome_stream_connect_gkeyringd($1, $3)
>
> optional_policy(`
> - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
> + dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>
> optional_policy(`
> gnome_dbus_chat_gkeyringd($1, $3)
> diff --git a/obex.if b/obex.if
> index 8635ea2..410c0e8 100644
> --- a/obex.if
> +++ b/obex.if
> @@ -42,7 +42,7 @@ template(`obex_role_template',`
> allow $3 obex_t:process { ptrace signal_perms };
> ps_process_pattern($3, obex_t)
>
> - dbus_spec_session_domain($1, obex_exec_t, obex_t)
> + dbus_spec_session_domain($1, obex_t, obex_exec_t)
>
> obex_dbus_chat($3)
> ')
> diff --git a/telepathy.if b/telepathy.if
> index 42946bc..0d58469 100644
> --- a/telepathy.if
> +++ b/telepathy.if
> @@ -78,15 +78,15 @@ template(`telepathy_role_template',`
> telepathy_msn_stream_connect($3)
> telepathy_salut_stream_connect($3)
>
> - dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
> - dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
> - dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
> - dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
> - dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
> - dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
> - dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
> - dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
> - dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
> + dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t)
> + dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t)
> + dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t)
> + dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t)
> + dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t)
> + dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t)
> + dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t)
> + dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
> + dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
>
> allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
> allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/2014 01:27 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Keep the same regex expression as for the other filecontexts
> ---
> exim.fc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/exim.fc b/exim.fc
> index 9df498d..48abe95 100644
> --- a/exim.fc
> +++ b/exim.fc
> @@ -1,4 +1,4 @@
> -/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
>
> /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
> /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/2014 01:27 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Allow the caller to transition to all the gkeyringd domains
> ---
> gnome.if | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/gnome.if b/gnome.if
> index 112d33b..118ee01 100644
> --- a/gnome.if
> +++ b/gnome.if
> @@ -671,6 +671,26 @@ interface(`gnome_dbus_chat_all_gkeyringd',`
>
> ########################################
> ## <summary>
> +## Run all gkeyringd in gkeyringd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_spec_domtrans_all_gkeyringd',`
> + gen_require(`
> + attribute gkeyringd_domain;
> + type gkeyringd_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
> +')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com