From: domg472@gmail.com (Dominick Grift) Date: Thu, 9 Sep 2010 14:16:07 +0200 Subject: [refpolicy] [Dbus 1/1] Various fixes. In-Reply-To: <4C88CD86.7070603@tresys.com> References: <20100903100152.GA21698@localhost.localdomain> <4C88CD86.7070603@tresys.com> Message-ID: <20100909121607.GB16089@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Sep 09, 2010 at 08:05:26AM -0400, Christopher J. PeBenito wrote: > On 09/03/10 06:01, Dominick Grift wrote: > >Removed some unused dbus interfaces that really were too coarse anyway. > >Renamed dbus_connect_session_bus to dbus_rename_all_session_bus for pulseaudio. > >This interface should really changed into something more specific. > > In this case I have to say no. Dbus should just be one domain > constrained by UBAC, but due to its unfortunate ability to run > programs, it needs to have separate domains. I still decided to > keep the interfaces as if there was one domain. Easy to say because refpolicy does not use them anyways. Atleast not the dbus_session_domain(). Once one starts confining user space (gnome apps etc), one will have to deal with this issue. One calls a dbus_session_domain for one user, one calls it for all users (including unconfined_t) > > >Signed-off-by: Dominick Grift > >--- > >:100644 100644 5c2680c... 333cf99... M policy/modules/apps/pulseaudio.te > >:100644 100644 39e901a... 4d16a6b... M policy/modules/services/dbus.if > > policy/modules/apps/pulseaudio.te | 2 +- > > policy/modules/services/dbus.if | 51 +----------------------------------- > > 2 files changed, 3 insertions(+), 50 deletions(-) > > > >diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te > >index 5c2680c..333cf99 100644 > >--- a/policy/modules/apps/pulseaudio.te > >+++ b/policy/modules/apps/pulseaudio.te > >@@ -107,7 +107,7 @@ optional_policy(` > > dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) > > dbus_system_bus_client(pulseaudio_t) > > dbus_session_bus_client(pulseaudio_t) > >- dbus_connect_session_bus(pulseaudio_t) > >+ dbus_connect_all_session_bus(pulseaudio_t) > > > > optional_policy(` > > consolekit_dbus_chat(pulseaudio_t) > >diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if > >index 39e901a..4d16a6b 100644 > >--- a/policy/modules/services/dbus.if > >+++ b/policy/modules/services/dbus.if > >@@ -221,25 +221,6 @@ interface(`dbus_session_bus_client',` > > > > ######################################## > > ## > >-## Send a message the session DBUS. > >-## > >-## > >-## > >-## Domain allowed access. > >-## > >-## > >-# > >-interface(`dbus_send_session_bus',` > >- gen_require(` > >- attribute session_bus_type; > >- class dbus send_msg; > >- ') > >- > >- allow $1 session_bus_type:dbus send_msg; > >-') > >- > >-######################################## > >-## > > ## Read dbus configuration. > > ## > > ## > >@@ -298,7 +279,7 @@ interface(`dbus_manage_lib_files',` > > > > ######################################## > > ## > >-## Connect to the system DBUS > >+## Connect to all session DBUS > > ## for service (acquire_svc). > > ## > > ## > >@@ -307,7 +288,7 @@ interface(`dbus_manage_lib_files',` > > ## > > ## > > # > >-interface(`dbus_connect_session_bus',` > >+interface(`dbus_connect_all_session_bus',` > > gen_require(` > > attribute session_bus_type; > > class dbus acquire_svc; > >@@ -318,34 +299,6 @@ interface(`dbus_connect_session_bus',` > > > > ######################################## > > ## > >-## Allow a application domain to be started > >-## by the session dbus. > >-## > >-## > >-## > >-## Type to be used as a domain. > >-## > >-## > >-## > >-## > >-## Type of the program to be used as an > >-## entry point to this domain. > >-## > >-## > >-# > >-interface(`dbus_session_domain',` > >- gen_require(` > >- attribute session_bus_type; > >- ') > >- > >- domtrans_pattern(session_bus_type, $2, $1) > >- > >- dbus_session_bus_client($1) > >- dbus_connect_session_bus($1) > >-') > >- > >-######################################## > >-## > > ## Connect to the system DBUS > > ## for service (acquire_svc). > > ## > > > > > > > >_______________________________________________ > >refpolicy mailing list > >refpolicy at oss.tresys.com > >http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/fddb92d0/attachment.bin