From: domg472@gmail.com (Dominick Grift) Date: Mon, 24 Jan 2011 15:04:51 +0100 Subject: [refpolicy] [PATCH/RFC 8/19]: patch set to update the git reference policy In-Reply-To: <1295829851.3862.67.camel@tesla.lan> References: <1295829851.3862.67.camel@tesla.lan> Message-ID: <4D3D8703.8040308@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 01:44 AM, Guido Trentalancia wrote: > --- refpolicy-git-18012011-dbus-messaging/policy/modules/services/dbus.te 2011-01-23 23:13:48.168284256 +0100 > +++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 23:11:46.430346876 +0100 > @@ -52,7 +52,7 @@ ifdef(`enable_mls',` > > # dac_override: /var/run/dbus is owned by messagebus on Debian > # cjp: dac_override should probably go in a distro_debian > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace }; > dontaudit system_dbusd_t self:capability sys_tty_config; > allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; > allow system_dbusd_t self:fifo_file rw_fifo_file_perms; > @@ -111,13 +111,20 @@ auth_read_pam_console_data(system_dbusd_ > corecmd_list_bin(system_dbusd_t) > corecmd_read_bin_pipes(system_dbusd_t) > corecmd_read_bin_sockets(system_dbusd_t) > +# needed for system-tools-backends > +corecmd_exec_shell(system_dbusd_t) > > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > > +files_search_default(system_dbusd_t) There should not be able default_t type directories. Thus this shouldnt be allowed > +files_read_default_files(system_dbusd_t) there should not be any default_t type files. Thus this shouldnt be allowed > files_read_etc_files(system_dbusd_t) > files_list_home(system_dbusd_t) > -files_read_usr_files(system_dbusd_t) > +files_exec_bin_files(system_dbusd_t) Which bin_t files is it executing? > +files_exec_usr_files(system_dbusd_t) Which usr_t files is it executing? > +files_read_var_lib_files(system_dbusd_t) > +files_var_log_append(system_dbusd_t) Which log is it appending to? > > init_use_fds(system_dbusd_t) > init_use_script_ptys(system_dbusd_t) > @@ -141,6 +148,7 @@ optional_policy(` > ') > > optional_policy(` > + consolekit_read_pid_files(system_dbusd_t) > consolekit_dbus_send(system_dbusd_t) > ') > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09hwMACgkQMlxVo39jgT86yACePzJOPj70ApDLX5Jta9xnUxdC ntkAoLT/WPghTDXhXd6E02Fy3lupbNdI =4wrb -----END PGP SIGNATURE-----