Allow the unprivileged user to chat over dbus with a few
other domains (e.g. in a gnome session).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/unprivuser.te | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/roles/unprivuser.te 2016-08-06
21:26:43.293774259 +0200
+++ refpolicy-git-06082016/policy/modules/roles/unprivuser.te 2016-08-13
15:05:58.696124415 +0200
@@ -13,14 +13,27 @@ policy_module(unprivuser, 2.6.0)
userdom_unpriv_user_template(user)
optional_policy(`
+ accountsd_dbus_chat(user_t)
+')
+
+optional_policy(`
apache_role(user_r, user_t)
')
optional_policy(`
+ devicekit_dbus_chat_disk(user_t)
+ devicekit_dbus_chat_power(user_t)
+')
+
+optional_policy(`
git_role(user_r, user_t)
')
optional_policy(`
+ rtkit_daemon_dbus_chat(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
@@ -30,6 +43,7 @@ optional_policy(`
optional_policy(`
xserver_role(user_r, user_t)
+ xdm_dbus_chat(user_t)
')
ifndef(`distro_redhat',`
On Sat, Aug 13, 2016 at 07:12:41PM +0200, guido guido wrote:
> Allow the unprivileged user to chat over dbus with a few
> other domains (e.g. in a gnome session).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/roles/unprivuser.te | 14 ++++++++++++++
These should probably be added to
template(`userdom_common_user_template',` in system/userdomain.if so
that all roles get it. otherwise staff_t wont have them
-- Jason
> 1 file changed, 14 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/roles/unprivuser.te 2016-08-06
> 21:26:43.293774259 +0200
> +++ refpolicy-git-06082016/policy/modules/roles/unprivuser.te 2016-08-13
> 15:05:58.696124415 +0200
> @@ -13,14 +13,27 @@ policy_module(unprivuser, 2.6.0)
> userdom_unpriv_user_template(user)
>
> optional_policy(`
> + accountsd_dbus_chat(user_t)
> +')
> +
> +optional_policy(`
> apache_role(user_r, user_t)
> ')
>
> optional_policy(`
> + devicekit_dbus_chat_disk(user_t)
> + devicekit_dbus_chat_power(user_t)
> +')
> +
> +optional_policy(`
> git_role(user_r, user_t)
> ')
>
> optional_policy(`
> + rtkit_daemon_dbus_chat(user_t)
> +')
> +
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> @@ -30,6 +43,7 @@ optional_policy(`
>
> optional_policy(`
> xserver_role(user_r, user_t)
> + xdm_dbus_chat(user_t)
> ')
>
> ifndef(`distro_redhat',`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello Jason,
thanks for pointing this out.
> On the 13th of August 2016 at 19.59 Jason Zaman <[email protected]> wrote:
>
>
> On Sat, Aug 13, 2016 at 07:12:41PM +0200, guido guido wrote:
> > Allow the unprivileged user to chat over dbus with a few
> > other domains (e.g. in a gnome session).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/roles/unprivuser.te | 14 ++++++++++++++
>
> These should probably be added to
> template(`userdom_common_user_template',` in system/userdomain.if so
> that all roles get it. otherwise staff_t wont have them
I have now created a new patch against the userdomain module so that these get
propagated to different roles.
> -- Jason
>
> > 1 file changed, 14 insertions(+)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/roles/unprivuser.te
> > 2016-08-06
> > 21:26:43.293774259 +0200
> > +++ refpolicy-git-06082016/policy/modules/roles/unprivuser.te 2016-08-13
> > 15:05:58.696124415 +0200
> > @@ -13,14 +13,27 @@ policy_module(unprivuser, 2.6.0)
> > userdom_unpriv_user_template(user)
> >
> > optional_policy(`
> > + accountsd_dbus_chat(user_t)
> > +')
> > +
> > +optional_policy(`
> > apache_role(user_r, user_t)
> > ')
> >
> > optional_policy(`
> > + devicekit_dbus_chat_disk(user_t)
> > + devicekit_dbus_chat_power(user_t)
> > +')
> > +
> > +optional_policy(`
> > git_role(user_r, user_t)
> > ')
> >
> > optional_policy(`
> > + rtkit_daemon_dbus_chat(user_t)
> > +')
> > +
> > +optional_policy(`
> > screen_role_template(user, user_r, user_t)
> > ')
> >
> > @@ -30,6 +43,7 @@ optional_policy(`
> >
> > optional_policy(`
> > xserver_role(user_r, user_t)
> > + xdm_dbus_chat(user_t)
> > ')
> >
> > ifndef(`distro_redhat',`
Best regards,
Guido
Allow the system user domains to chat over dbus with a few other
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06
21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-13
22:23:25.725173974 +0200
@@ -596,10 +596,18 @@ template(`userdom_common_user_template',
dbus_system_bus_client($1_t)
optional_policy(`
+ accountsd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
+ colord_dbus_chat($1_r, $1_t)
+ ')
+
+ optional_policy(`
consolekit_dbus_chat($1_t)
')
@@ -608,6 +616,11 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ devicekit_dbus_chat_disk($1_t)
+ devicekit_dbus_chat_power($1_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_t)
')
@@ -618,6 +631,14 @@ template(`userdom_common_user_template',
optional_policy(`
policykit_dbus_chat($1_t)
')
+
+ optional_policy(`
+ rtkit_daemon_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ xdm_dbus_chat($1_t)
+ ')
')
optional_policy(`
Allow the system user domains to chat over dbus with a few other
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
This new version fixes a typographic error in the previous version.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06
21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-13
23:17:44.315406734 +0200
@@ -596,10 +596,18 @@ template(`userdom_common_user_template',
dbus_system_bus_client($1_t)
optional_policy(`
+ accountsd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
+ colord_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
consolekit_dbus_chat($1_t)
')
@@ -608,6 +616,11 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ devicekit_dbus_chat_disk($1_t)
+ devicekit_dbus_chat_power($1_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_t)
')
@@ -618,6 +631,14 @@ template(`userdom_common_user_template',
optional_policy(`
policykit_dbus_chat($1_t)
')
+
+ optional_policy(`
+ rtkit_daemon_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ xdm_dbus_chat($1_t)
+ ')
')
optional_policy(`
On 08/13/16 17:23, Guido Trentalancia wrote:
> Allow the system user domains to chat over dbus with a few other
> domains (e.g. gnome session).
>
> Thanks to Jason Zaman for pointing out the correct interface to
> achieve this.
>
> This new version fixes a typographic error in the previous version.
Merged.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06
> 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-13
> 23:17:44.315406734 +0200
> @@ -596,10 +596,18 @@ template(`userdom_common_user_template',
> dbus_system_bus_client($1_t)
>
> optional_policy(`
> + accountsd_dbus_chat($1_t)
> + ')
> +
> + optional_policy(`
> bluetooth_dbus_chat($1_t)
> ')
>
> optional_policy(`
> + colord_dbus_chat($1_t)
> + ')
> +
> + optional_policy(`
> consolekit_dbus_chat($1_t)
> ')
>
> @@ -608,6 +616,11 @@ template(`userdom_common_user_template',
> ')
>
> optional_policy(`
> + devicekit_dbus_chat_disk($1_t)
> + devicekit_dbus_chat_power($1_t)
> + ')
> +
> + optional_policy(`
> hal_dbus_chat($1_t)
> ')
>
> @@ -618,6 +631,14 @@ template(`userdom_common_user_template',
> optional_policy(`
> policykit_dbus_chat($1_t)
> ')
> +
> + optional_policy(`
> + rtkit_daemon_dbus_chat($1_t)
> + ')
> +
> + optional_policy(`
> + xdm_dbus_chat($1_t)
> + ')
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello Chris !
On Sat, 14/08/2016 at 14.13 -0400, Chris PeBenito wrote:
> On 08/13/16 17:23, Guido Trentalancia wrote:
> > Allow the system user domains to chat over dbus with a few other
> > domains (e.g. gnome session).
> >
> > Thanks to Jason Zaman for pointing out the correct interface to
> > achieve this.
> >
> > This new version fixes a typographic error in the previous version.
>
> Merged.
You merged an interface xdm_dbus_chat() which, you said, brings a wrong
name.
I am now going to create a short patch to fix this problem (and a new
patch for the xserver module).
>
>
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/system/userdomain.if |???21 +++++++++++++++++++++
> > ?1 file changed, 21 insertions(+)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if
> > 2016-08-06
> > 21:26:43.311774465 +0200
> > +++ refpolicy-git-06082016/policy/modules/system/userdomain.if
> > 2016-08-13
> > 23:17:44.315406734 +0200
> > @@ -596,10 +596,18 @@ template(`userdom_common_user_template',
> > ? dbus_system_bus_client($1_t)
> >
> > ? optional_policy(`
> > + accountsd_dbus_chat($1_t)
> > + ')
> > +
> > + optional_policy(`
> > ? bluetooth_dbus_chat($1_t)
> > ? ')
> >
> > ? optional_policy(`
> > + colord_dbus_chat($1_t)
> > + ')
> > +
> > + optional_policy(`
> > ? consolekit_dbus_chat($1_t)
> > ? ')
> >
> > @@ -608,6 +616,11 @@ template(`userdom_common_user_template',
> > ? ')
> >
> > ? optional_policy(`
> > + devicekit_dbus_chat_disk($1_t)
> > + devicekit_dbus_chat_power($1_t)
> > + ')
> > +
> > + optional_policy(`
> > ? hal_dbus_chat($1_t)
> > ? ')
> >
> > @@ -618,6 +631,14 @@ template(`userdom_common_user_template',
> > ? optional_policy(`
> > ? policykit_dbus_chat($1_t)
> > ? ')
> > +
> > + optional_policy(`
> > + rtkit_daemon_dbus_chat($1_t)
> > + ')
> > +
> > + optional_policy(`
> > + xdm_dbus_chat($1_t)
> > + ')
> > ? ')
> >
> > ? optional_policy(`
> > _______________________________________________
> >?
Correct the name of the xsever interface used for chatting over
dbus with xdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- refpolicy-git-06082016-userdomain-old/policy/modules/system/userdomain.if 2016-08-14 21:15:52.538757993 +0200
+++ refpolicy-git-06082016-userdomain-new/policy/modules/system/userdomain.if 2016-08-14 21:15:06.508995516 +0200
@@ -637,7 +637,7 @@ template(`userdom_common_user_template',
')
optional_policy(`
- xdm_dbus_chat($1_t)
+ xserver_dbus_chat_xdm($1_t)
')
')