LinuxLists.cc - [refpolicy] Dbus rules in LPM for a Dbus based service like Network Manager

2010-05-12 12:42:13

Subject: [refpolicy] Dbus rules in LPM for a Dbus based service like Network Manager

On Wed, 2010-05-12 at 11:29 +0500, Shaz wrote:
> Dear list,
>
> I was reading [1] and found it very interesting but I can't figure out
> how the dbus rules will be added to the network manager LPM. Are there
> any examples available in the reference policy that can be followed to
> understand this clearly? If not in reference policy then where can I
> find a good and clear example?
>
> [1]
> http://www.redhat.com/magazine/003jan05/features/dbus/#more-security

It doesn't look like refpolicy presently defines any associate elements
in the default dbus_contexts configuration files. So that would mean
that acquire_svc checks are always against the bus daemon context, as
per man dbus-daemon. The intent was to allow control over what
processes can bind to specific names in dbus, just as we control what
processes can bind to specific TCP/UDP ports in the kernel. I'm not
sure why people haven't configured it for well-known dbus services and
used that to prevent arbitrary processes from binding those service
names.

The send_msg checks on the other hand are between the sender and
recipient contexts and don't rely on dbus_contexts configuration.

--
Stephen Smalley
National Security Agency

2010-05-12 13:15:55

by Shaz

[permalink] [raw]

Subject: [refpolicy] Dbus rules in LPM for a Dbus based service like Network Manager

> It doesn't look like refpolicy presently defines any associate elements
> in the default dbus_contexts configuration files. So that would mean
> that acquire_svc checks are always against the bus daemon context, as
> per man dbus-daemon. The intent was to allow control over what
> processes can bind to specific names in dbus, just as we control what
> processes can bind to specific TCP/UDP ports in the kernel. I'm not
> sure why people haven't configured it for well-known dbus services and
> used that to prevent arbitrary processes from binding those service
> names.
>
> The send_msg checks on the other hand are between the sender and
> recipient contexts and don't rely on dbus_contexts configuration.
>

Thank you Stephen for a nice starting pointer. Before asking any further
questions regarding this I will wait for some more replies from others to
make the thread useful.

--
Shaz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100512/5c194981/attachment.html