From: domg472@gmail.com (Dominick Grift) Date: Fri, 14 Jan 2011 10:34:13 +0100 Subject: [refpolicy] refpolicy-2.20101213 (mcs) and dbus messages In-Reply-To: <1294960535.3100.14.camel@tesla.lan> References: <1294867930.1731.34.camel@tesla.lan> <4D2EC398.7060304@gmail.com> <1294921531.3112.18.camel@tesla.lan> <4D2EF14E.8020903@gmail.com> <1294931759.3153.25.camel@tesla.lan> <4D2F1C7B.5040206@gmail.com> <1294946652.2985.19.camel@tesla.lan> <4D2F590C.8000005@gmail.com> <1294954622.3100.11.camel@tesla.lan> <4D2F71E7.7030901@gmail.com> <1294960535.3100.14.camel@tesla.lan> Message-ID: <4D301895.3050409@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 12:15 AM, Guido Trentalancia wrote: > Hi Dominick ! > > On Thu, 13/01/2011 at 22.43 +0100, Dominick Grift wrote: >>> But in general for USER_AVCs there is nothing like audit2allow that can >>> be used to ease the job ? >> >> audit2allow can also be used for these dbus AVC' s sure. But if you want >> this stuff upstreamed then you will have to play by upstreams rules >> (style rules) > > No, apparently audit2allow doesn't do the job for USER_AVCs. Strange, in that case i guess you will have to translate it manually. 1. AVC denial: > > denied { send_msg } for msgtype=method_call > > interface=org.freedesktop.Hal.Manager member=FindDeviceByCapability > > dest=org.freedesktop.Hal spid=2928 tpid=2314 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:hald_t:s0 tclass=dbus : > > exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Raw policy: allow xdm_t hald_t:dbus send_msg; Possible macro/interface: hal_dbus_chat(xdm_t) 2. > > denied { send_msg } for msgtype=signal > > interface=org.freedesktop.PolicyKit1.Authority member=Changed > > dest=org.freedesktop.DBus spid=2613 tpid=2546 > > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=dbus : > > exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > Raw policy: allow system_dbusd_t consolekit_t:dbus send_msg; Possible macro/interface: consolekit_dbus_chat(system_dbusd_t) 3. > > denied { send_msg } for msgtype=method_call > > interface=org.freedesktop.DBus.Properties member=GetAll > > dest=org.freedesktop.UDisks spid=3567 tpid=3569 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=dbus : > > exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? > > terminal=?' Raw policy: allow xdm_t devicekit_disk_t:dbus send_msg; Possible macro/interface: devicekit_dbus_chat_disk(xdm_t) But this is only the start, You will probably encounter many more policy issues. You will need to be able to analyse them and resolve issues accordingly. > Regards, > > Guido > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wGJUACgkQMlxVo39jgT/JeQCeOOJaD6xfHAC8okGnjE+qvNf+ Qi4An0KoDfyODqivlo/dFVkZ3pqLyQXw =cmPo -----END PGP SIGNATURE-----