This patch adds self:capability sys_ptrace to the dbus module.
--- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 02:36:05.874787818 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 02:51:51.910683659 +0100
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
On 02/16/11 01:35, Guido Trentalancia wrote:
> This patch adds self:capability sys_ptrace to the dbus module.
>
> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 02:36:05.874787818 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 02:51:51.910683659 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>
> # dac_override: /var/run/dbus is owned by messagebus on Debian
> # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
I find this highly questionable. It needs justification.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/28/2011 09:48 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
>> This patch adds self:capability sys_ptrace to the dbus module.
>>
>> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 02:36:05.874787818 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 02:51:51.910683659 +0100
>> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>>
>> # dac_override: /var/run/dbus is owned by messagebus on Debian
>> # cjp: dac_override should probably go in a distro_debian
>> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
>> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
>> dontaudit system_dbusd_t self:capability sys_tty_config;
>> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
>> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
>
> I find this highly questionable. It needs justification.
>
We do not have this in Fedora. Might be similar to policykit, examining
/proc/PID/cmdline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1rv9cACgkQrlYvE4MpobPFbwCfS+tg0VMnAtOwN8G67WnBPN1J
xX0An1tydi5iEvayHq/QtiZPqLWtSEdf
=nXYv
-----END PGP SIGNATURE-----
Hello Christopher !
On Mon, 28/02/2011 at 09.48 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
> > This patch adds self:capability sys_ptrace to the dbus module.
> >
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 02:36:05.874787818 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 02:51:51.910683659 +0100
> > @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
> >
> > # dac_override: /var/run/dbus is owned by messagebus on Debian
> > # cjp: dac_override should probably go in a distro_debian
> > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> > dontaudit system_dbusd_t self:capability sys_tty_config;
> > allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> > allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
>
> I find this highly questionable. It needs justification.
After testing with the latest dbus, there are even more:
+ sys_resource in capability
and
+ setrlimit in process.
What's the latest version of dbus that you have tested ?
Regards,
Guido