From: martin@martinorr.name (Martin Orr)
Date: Tue, 31 Mar 2009 15:51:11 +0100
Subject: [refpolicy] dbus/lvm read domain state
In-Reply-To: <200903161023.45640.russell@coker.com.au>
References: <49BD282F.2050609@martinorr.name>
	<200903161023.45640.russell@coker.com.au>
Message-ID: <49D22DDF.30508@martinorr.name>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 15/03/09 23:23, Russell Coker wrote:
> On Mon, 16 Mar 2009, Martin Orr <martin@martinorr.name> wrote:
>> +domain_read_all_domains_state(system_dbusd_t)
> 
> Do we really want all domains?  I think it will do to allow system_dbusd_t to 
> read all domains that talk to it.
> 
> Why not modify dbus_system_bus_client() to have something like the following?
>        allow system_dbusd_t $2:dir search;
>        allow system_dbusd_t $2:file read_file_perms;
> 

Yes, that makes sense.  I have added it to dbus_session_bus_client as well,
and to dbus_system_bus_unconfined for unconfined_t (not sure about the last
one - maybe unconfined_domain should call dbus_system_bus_client instead).

Also, I have a vague idea that I'm not supposed to use $1 as the object type
in an interface, and should use an attribute instead.  Not sure where I got
that idea from; Chris, could you confirm?

Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -243,6 +243,7 @@
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
 
+domain_dontaudit_read_all_domains_state(lvm_t)
 domain_use_interactive_fds(lvm_t)
 
 files_read_etc_files(lvm_t)
Index: policy/modules/services/dbus.if
===================================================================
--- policy/modules/services/dbus.if.orig
+++ policy/modules/services/dbus.if
@@ -197,6 +197,9 @@
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 	dbus_read_config($1)
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(system_dbusd_t, $1, $1)
 ')
 
 #######################################
@@ -221,6 +224,9 @@
 
 	# For connecting to the bus
 	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(session_bus_type, $1, $1)
 ')
 
 ########################################
@@ -317,4 +323,7 @@
 	')
 
 	allow $1 system_dbusd_t:dbus *;
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(system_dbusd_t, $1, $1)
 ')


-- 
Martin Orr