From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 24 Jan 2011 01:43:52 +0100
Subject: [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference
policy
Message-ID: <1295829832.3862.61.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
--- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
@@ -1 +1,42 @@
## Command-line CPU frequency settings.
+
+########################################
+##
+## Send a dbus message to
+## cpufreq-selector.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cpufreqselector_dbus_send',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## cpufreq-selector over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cpufreqselector_dbus_chat',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+ allow cpufreqselector_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te
--- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te 2011-01-08 19:07:21.177731088 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te 2011-01-23 22:00:15.085140190 +0100
@@ -50,3 +50,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(cpufreqselector_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-dbus/policy/modules/services/avahi.if
--- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.if 2011-01-23 22:00:15.086140351 +0100
@@ -75,6 +75,25 @@ interface(`avahi_signull',`
########################################
##
+## Send a dbus message to avahi.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`avahi_dbus_send',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## avahi over dbus.
##
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-dbus/policy/modules/services/avahi.te
--- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.te 2011-01-23 22:00:15.087140512 +0100
@@ -104,9 +104,17 @@ optional_policy(`
')
optional_policy(`
+ ntp_dbus_send(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
optional_policy(`
udev_read_db(avahi_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(avahi_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if
--- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if 2011-01-23 22:00:15.089140834 +0100
@@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
########################################
##
+## Send a dbus message to
+## consolekit.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_dbus_send',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## consolekit over dbus.
##
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-dbus/policy/modules/services/dbus.te
--- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 22:01:53.627052747 +0100
@@ -141,6 +141,27 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ cpufreqselector_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(system_dbusd_t)
+ devicekit_dbus_send_power(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -154,6 +175,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_chat(system_dbusd_t)
+')
+
########################################
#
# Unconfined access to this module
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if
--- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if 2011-01-23 22:06:30.631464531 +0100
@@ -39,6 +39,44 @@ interface(`devicekit_dgram_send',`
########################################
##
+## Send a dbus message to devicekit.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_send',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+')
+
+########################################
+##
+## Send a dbus message to devicekit disk.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_send_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## devicekit over dbus.
##
@@ -98,6 +136,25 @@ interface(`devicekit_signal_power',`
')
########################################
+##
+## Send a dbus message to devicekit power.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_send_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+')
+
+########################################
##
## Send and receive messages from
## devicekit power over dbus.
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te
--- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te 2011-01-23 22:00:15.100142603 +0100
@@ -178,6 +178,10 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
@@ -282,3 +286,7 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_power_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-dbus/policy/modules/services/hal.te
--- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/hal.te 2011-01-23 22:00:15.102142923 +0100
@@ -338,6 +338,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(hald_t)
+')
+
########################################
#
# Hal acl local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if
--- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if 2011-01-23 22:00:15.103143084 +0100
@@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
########################################
##
+## Send a dbus message to NetworkManager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_dbus_send',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## NetworkManager over dbus.
##
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te
--- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te 2011-01-23 22:00:15.104143245 +0100
@@ -265,6 +265,10 @@ optional_policy(`
vpn_signull(NetworkManager_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-dbus/policy/modules/services/ntp.if
--- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.if 2011-01-23 22:00:15.105143406 +0100
@@ -163,3 +163,62 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
')
+
+########################################
+##
+## Send a dbus message to ntpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_dbus_send',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## ntpd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_dbus_chat',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Connect to dbus using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_dbus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-dbus/policy/modules/services/ntp.te
--- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.te 2011-01-23 22:00:15.106143567 +0100
@@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
+ avahi_dbus_send(ntpd_t)
+')
+
+optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
optional_policy(`
+ ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
gpsd_rw_shm(ntpd_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if 2011-01-23 22:00:15.107143728 +0100
@@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
########################################
##
+## Send a dbus message to
+## setroubleshoot.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`setroubleshoot_dbus_send',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## setroubleshoot over dbus.
##
@@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
########################################
##
+## Send a dbus message to
+## setroubleshoot fixit.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`setroubleshoot_dbus_send_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
-## setroubleshoot over dbus.
+## setroubleshoot fixit over dbus.
##
##
##
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te 2011-01-23 22:00:15.120145817 +0100
@@ -125,12 +125,20 @@ optional_policy(`
')
optional_policy(`
+ logging_dbus_send_dispatcher(setroubleshootd_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(setroubleshootd_t)
+')
+
########################################
#
# setroubleshoot_fixit local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-dbus/policy/modules/services/xserver.if
--- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.if 2011-01-23 22:00:15.121145978 +0100
@@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+##
+## Send a dbus message to xdm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_xdm_dbus_send',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## xdm over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_xdm_dbus_chat',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-dbus/policy/modules/services/xserver.te
--- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.te 2011-01-23 22:00:15.126146783 +0100
@@ -508,6 +508,10 @@ optional_policy(`
')
optional_policy(`
+ avahi_dbus_send(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
')
@@ -516,12 +520,25 @@ optional_policy(`
')
optional_policy(`
+ cpufreqselector_dbus_send(xdm_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(xdm_t)
+ devicekit_dbus_send_power(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ hal_dbus_send(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -539,10 +556,18 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_send(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
+ setroubleshoot_dbus_send(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
--- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
@@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
########################################
##
+## Send a dbus message to the audit
+## dispatcher.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_dbus_send_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## the audit dispatcher over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_dbus_chat_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+ allow audisp_t $1:dbus send_msg;
+')
+
+########################################
+##
## Manage the auditd configuration files.
##
##
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
--- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
@@ -246,6 +246,10 @@ optional_policy(`
dbus_system_bus_client(audisp_t)
')
+optional_policy(`
+ setroubleshoot_dbus_send(audisp_t)
+')
+
########################################
#
# Audit remote logger local policy