From: martin@martinorr.name (Martin Orr) Date: Tue, 31 Mar 2009 15:51:11 +0100 Subject: [refpolicy] dbus/lvm read domain state In-Reply-To: <200903161023.45640.russell@coker.com.au> References: <49BD282F.2050609@martinorr.name> <200903161023.45640.russell@coker.com.au> Message-ID: <49D22DDF.30508@martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 15/03/09 23:23, Russell Coker wrote: > On Mon, 16 Mar 2009, Martin Orr wrote: >> +domain_read_all_domains_state(system_dbusd_t) > > Do we really want all domains? I think it will do to allow system_dbusd_t to > read all domains that talk to it. > > Why not modify dbus_system_bus_client() to have something like the following? > allow system_dbusd_t $2:dir search; > allow system_dbusd_t $2:file read_file_perms; > Yes, that makes sense. I have added it to dbus_session_bus_client as well, and to dbus_system_bus_unconfined for unconfined_t (not sure about the last one - maybe unconfined_domain should call dbus_system_bus_client instead). Also, I have a vague idea that I'm not supposed to use $1 as the object type in an interface, and should use an attribute instead. Not sure where I got that idea from; Chris, could you confirm? Index: policy/modules/system/lvm.te =================================================================== --- policy/modules/system/lvm.te.orig +++ policy/modules/system/lvm.te @@ -243,6 +243,7 @@ corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) +domain_dontaudit_read_all_domains_state(lvm_t) domain_use_interactive_fds(lvm_t) files_read_etc_files(lvm_t) Index: policy/modules/services/dbus.if =================================================================== --- policy/modules/services/dbus.if.orig +++ policy/modules/services/dbus.if @@ -197,6 +197,9 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) + + # DBus reads /proc/$pid/cmdline for logging + read_files_pattern(system_dbusd_t, $1, $1) ') ####################################### @@ -221,6 +224,9 @@ # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; + + # DBus reads /proc/$pid/cmdline for logging + read_files_pattern(session_bus_type, $1, $1) ') ######################################## @@ -317,4 +323,7 @@ ') allow $1 system_dbusd_t:dbus *; + + # DBus reads /proc/$pid/cmdline for logging + read_files_pattern(system_dbusd_t, $1, $1) ') -- Martin Orr