2009-03-31 14:51:11

by martin

[permalink] [raw]
Subject: [refpolicy] dbus/lvm read domain state

On 15/03/09 23:23, Russell Coker wrote:
> On Mon, 16 Mar 2009, Martin Orr <[email protected]> wrote:
>> +domain_read_all_domains_state(system_dbusd_t)
>
> Do we really want all domains? I think it will do to allow system_dbusd_t to
> read all domains that talk to it.
>
> Why not modify dbus_system_bus_client() to have something like the following?
> allow system_dbusd_t $2:dir search;
> allow system_dbusd_t $2:file read_file_perms;
>

Yes, that makes sense. I have added it to dbus_session_bus_client as well,
and to dbus_system_bus_unconfined for unconfined_t (not sure about the last
one - maybe unconfined_domain should call dbus_system_bus_client instead).

Also, I have a vague idea that I'm not supposed to use $1 as the object type
in an interface, and should use an attribute instead. Not sure where I got
that idea from; Chris, could you confirm?

Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -243,6 +243,7 @@
corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t)

+domain_dontaudit_read_all_domains_state(lvm_t)
domain_use_interactive_fds(lvm_t)

files_read_etc_files(lvm_t)
Index: policy/modules/services/dbus.if
===================================================================
--- policy/modules/services/dbus.if.orig
+++ policy/modules/services/dbus.if
@@ -197,6 +197,9 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
+
+ # DBus reads /proc/$pid/cmdline for logging
+ read_files_pattern(system_dbusd_t, $1, $1)
')

#######################################
@@ -221,6 +224,9 @@

# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
+
+ # DBus reads /proc/$pid/cmdline for logging
+ read_files_pattern(session_bus_type, $1, $1)
')

########################################
@@ -317,4 +323,7 @@
')

allow $1 system_dbusd_t:dbus *;
+
+ # DBus reads /proc/$pid/cmdline for logging
+ read_files_pattern(system_dbusd_t, $1, $1)
')


--
Martin Orr