On Thu, Sep 09, 2010 at 08:05:26AM -0400, Christopher J. PeBenito wrote:
> On 09/03/10 06:01, Dominick Grift wrote:
> >Removed some unused dbus interfaces that really were too coarse anyway.
> >Renamed dbus_connect_session_bus to dbus_rename_all_session_bus for pulseaudio.
> >This interface should really changed into something more specific.
>
> In this case I have to say no. Dbus should just be one domain
> constrained by UBAC, but due to its unfortunate ability to run
> programs, it needs to have separate domains. I still decided to
> keep the interfaces as if there was one domain.
Easy to say because refpolicy does not use them anyways. Atleast not the dbus_session_domain().
Once one starts confining user space (gnome apps etc), one will have to deal with this issue.
One calls a dbus_session_domain for one user, one calls it for all users (including unconfined_t)
>
> >Signed-off-by: Dominick Grift<[email protected]>
> >---
> >:100644 100644 5c2680c... 333cf99... M policy/modules/apps/pulseaudio.te
> >:100644 100644 39e901a... 4d16a6b... M policy/modules/services/dbus.if
> > policy/modules/apps/pulseaudio.te | 2 +-
> > policy/modules/services/dbus.if | 51 +-----------------------------------
> > 2 files changed, 3 insertions(+), 50 deletions(-)
> >
> >diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> >index 5c2680c..333cf99 100644
> >--- a/policy/modules/apps/pulseaudio.te
> >+++ b/policy/modules/apps/pulseaudio.te
> >@@ -107,7 +107,7 @@ optional_policy(`
> > dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
> > dbus_system_bus_client(pulseaudio_t)
> > dbus_session_bus_client(pulseaudio_t)
> >- dbus_connect_session_bus(pulseaudio_t)
> >+ dbus_connect_all_session_bus(pulseaudio_t)
> >
> > optional_policy(`
> > consolekit_dbus_chat(pulseaudio_t)
> >diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> >index 39e901a..4d16a6b 100644
> >--- a/policy/modules/services/dbus.if
> >+++ b/policy/modules/services/dbus.if
> >@@ -221,25 +221,6 @@ interface(`dbus_session_bus_client',`
> >
> > ########################################
> > ##<summary>
> >-## Send a message the session DBUS.
> >-##</summary>
> >-##<param name="domain">
> >-## <summary>
> >-## Domain allowed access.
> >-## </summary>
> >-##</param>
> >-#
> >-interface(`dbus_send_session_bus',`
> >- gen_require(`
> >- attribute session_bus_type;
> >- class dbus send_msg;
> >- ')
> >-
> >- allow $1 session_bus_type:dbus send_msg;
> >-')
> >-
> >-########################################
> >-##<summary>
> > ## Read dbus configuration.
> > ##</summary>
> > ##<param name="domain">
> >@@ -298,7 +279,7 @@ interface(`dbus_manage_lib_files',`
> >
> > ########################################
> > ##<summary>
> >-## Connect to the system DBUS
> >+## Connect to all session DBUS
> > ## for service (acquire_svc).
> > ##</summary>
> > ##<param name="domain">
> >@@ -307,7 +288,7 @@ interface(`dbus_manage_lib_files',`
> > ## </summary>
> > ##</param>
> > #
> >-interface(`dbus_connect_session_bus',`
> >+interface(`dbus_connect_all_session_bus',`
> > gen_require(`
> > attribute session_bus_type;
> > class dbus acquire_svc;
> >@@ -318,34 +299,6 @@ interface(`dbus_connect_session_bus',`
> >
> > ########################################
> > ##<summary>
> >-## Allow a application domain to be started
> >-## by the session dbus.
> >-##</summary>
> >-##<param name="domain">
> >-## <summary>
> >-## Type to be used as a domain.
> >-## </summary>
> >-##</param>
> >-##<param name="entry_point">
> >-## <summary>
> >-## Type of the program to be used as an
> >-## entry point to this domain.
> >-## </summary>
> >-##</param>
> >-#
> >-interface(`dbus_session_domain',`
> >- gen_require(`
> >- attribute session_bus_type;
> >- ')
> >-
> >- domtrans_pattern(session_bus_type, $2, $1)
> >-
> >- dbus_session_bus_client($1)
> >- dbus_connect_session_bus($1)
> >-')
> >-
> >-########################################
> >-##<summary>
> > ## Connect to the system DBUS
> > ## for service (acquire_svc).
> > ##</summary>
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/fddb92d0/attachment.bin