From: domg472@gmail.com (Dominick Grift)
Date: Mon, 24 Jan 2011 15:24:53 +0100
Subject: [refpolicy] [PATCH/RFC 2/19]: patch set to update the git
reference policy
In-Reply-To: <1295829832.3862.61.camel@tesla.lan>
References: <1295829832.3862.61.camel@tesla.lan>
Message-ID: <4D3D8BB5.4010501@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
> @@ -1 +1,42 @@
> ## Command-line CPU frequency settings.
> +
> +########################################
> +##
> +## Send a dbus message to
> +## cpufreq-selector.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`cpufreqselector_dbus_send',`
> + gen_require(`
> + type cpufreqselector_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 cpufreqselector_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> +## Send and receive messages from
> +## cpufreq-selector over dbus.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`cpufreqselector_dbus_chat',`
> + gen_require(`
> + type cpufreqselector_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 cpufreqselector_t:dbus send_msg;
> + allow cpufreqselector_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te
> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te 2011-01-08 19:07:21.177731088 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te 2011-01-23 22:00:15.085140190 +0100
> @@ -50,3 +50,7 @@ optional_policy(`
> policykit_read_lib(cpufreqselector_t)
> policykit_read_reload(cpufreqselector_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(cpufreqselector_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-dbus/policy/modules/services/avahi.if
> --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.if 2011-01-23 22:00:15.086140351 +0100
> @@ -75,6 +75,25 @@ interface(`avahi_signull',`
>
> ########################################
> ##
> +## Send a dbus message to avahi.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`avahi_dbus_send',`
> + gen_require(`
> + type avahi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 avahi_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> ## avahi over dbus.
> ##
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-dbus/policy/modules/services/avahi.te
> --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.te 2011-01-23 22:00:15.087140512 +0100
> @@ -104,9 +104,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_dbus_send(avahi_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(avahi_t)
> ')
>
> optional_policy(`
> udev_read_db(avahi_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(avahi_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if
> --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if 2011-01-23 22:00:15.089140834 +0100
> @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
>
> ########################################
> ##
> +## Send a dbus message to
> +## consolekit.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`consolekit_dbus_send',`
> + gen_require(`
> + type consolekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 consolekit_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> ## consolekit over dbus.
> ##
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-dbus/policy/modules/services/dbus.te
> --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 22:01:53.627052747 +0100
> @@ -141,6 +141,27 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + cpufreqselector_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(system_dbusd_t)
> + devicekit_dbus_send_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + ntp_dbus_chat(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> @@ -154,6 +175,10 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_chat(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Unconfined access to this module
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if 2011-01-23 22:06:30.631464531 +0100
> @@ -39,6 +39,44 @@ interface(`devicekit_dgram_send',`
>
> ########################################
> ##
> +## Send a dbus message to devicekit.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`devicekit_dbus_send',`
> + gen_require(`
> + type devicekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> +## Send a dbus message to devicekit disk.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`devicekit_dbus_send_disk',`
> + gen_require(`
> + type devicekit_disk_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_disk_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> ## devicekit over dbus.
> ##
> @@ -98,6 +136,25 @@ interface(`devicekit_signal_power',`
> ')
>
> ########################################
> +##
> +## Send a dbus message to devicekit power.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`devicekit_dbus_send_power',`
> + gen_require(`
> + type devicekit_power_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_power_t:dbus send_msg;
> +')
> +
> +########################################
> ##
> ## Send and receive messages from
> ## devicekit power over dbus.
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te 2011-01-23 22:00:15.100142603 +0100
> @@ -178,6 +178,10 @@ optional_policy(`
> virt_manage_images(devicekit_disk_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_disk_t)
> +')
> +
> ########################################
> #
> # DeviceKit-Power local policy
> @@ -282,3 +286,7 @@ optional_policy(`
> optional_policy(`
> vbetool_domtrans(devicekit_power_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_power_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-dbus/policy/modules/services/hal.te
> --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/hal.te 2011-01-23 22:00:15.102142923 +0100
> @@ -338,6 +338,10 @@ optional_policy(`
> virt_manage_images(hald_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(hald_t)
> +')
> +
> ########################################
> #
> # Hal acl local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if 2011-01-23 22:00:15.103143084 +0100
> @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
>
> ########################################
> ##
> +## Send a dbus message to NetworkManager.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`networkmanager_dbus_send',`
> + gen_require(`
> + type NetworkManager_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 NetworkManager_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> ## NetworkManager over dbus.
> ##
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te 2011-01-23 22:00:15.104143245 +0100
> @@ -265,6 +265,10 @@ optional_policy(`
> vpn_signull(NetworkManager_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(NetworkManager_t)
> +')
> +
> ########################################
> #
> # wpa_cli local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-dbus/policy/modules/services/ntp.if
> --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.if 2011-01-23 22:00:15.105143406 +0100
> @@ -163,3 +163,62 @@ interface(`ntp_admin',`
> files_list_pids($1)
> admin_pattern($1, ntpd_var_run_t)
> ')
> +
> +########################################
> +##
> +## Send a dbus message to ntpd.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`ntp_dbus_send',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> +## Send and receive messages from
> +## ntpd over dbus.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +##
> +## Connect to dbus using a unix domain stream socket.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`ntp_dbus_stream_connect',`
> + gen_require(`
> + type system_dbusd_t, system_dbusd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-dbus/policy/modules/services/ntp.te
> --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.te 2011-01-23 22:00:15.106143567 +0100
> @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
> userdom_list_user_home_dirs(ntpd_t)
>
> optional_policy(`
> + avahi_dbus_send(ntpd_t)
> +')
> +
> +optional_policy(`
> # for cron jobs
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
>
> optional_policy(`
> + ntp_dbus_stream_connect(ntpd_t)
> +')
> +
> +optional_policy(`
> gpsd_rw_shm(ntpd_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if 2011-01-23 22:00:15.107143728 +0100
> @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
>
> ########################################
> ##
> +## Send a dbus message to
> +## setroubleshoot.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`setroubleshoot_dbus_send',`
> + gen_require(`
> + type setroubleshootd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshootd_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> ## setroubleshoot over dbus.
> ##
> @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
>
> ########################################
> ##
> +## Send a dbus message to
> +## setroubleshoot fixit.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`setroubleshoot_dbus_send_fixit',`
> + gen_require(`
> + type setroubleshoot_fixit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshoot_fixit_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Send and receive messages from
> -## setroubleshoot over dbus.
> +## setroubleshoot fixit over dbus.
> ##
> ##
> ##
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te 2011-01-23 22:00:15.120145817 +0100
> @@ -125,12 +125,20 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_dbus_send_dispatcher(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> rpm_signull(setroubleshootd_t)
> rpm_read_db(setroubleshootd_t)
> rpm_dontaudit_manage_db(setroubleshootd_t)
> rpm_use_script_fds(setroubleshootd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(setroubleshootd_t)
> +')
> +
> ########################################
> #
> # setroubleshoot_fixit local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-dbus/policy/modules/services/xserver.if
> --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.if 2011-01-23 22:00:15.121145978 +0100
> @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +##
> +## Send a dbus message to xdm.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`xserver_xdm_dbus_send',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> +')
> +
> +########################################
> +##
> +## Send and receive messages from
> +## xdm over dbus.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`xserver_xdm_dbus_chat',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> + allow xdm_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-dbus/policy/modules/services/xserver.te
> --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.te 2011-01-23 22:00:15.126146783 +0100
> @@ -508,6 +508,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + avahi_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> consolekit_dbus_chat(xdm_t)
> ')
>
> @@ -516,12 +520,25 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cpufreqselector_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(xdm_t)
> + devicekit_dbus_send_power(xdm_t)
> +')
> +
> +optional_policy(`
> # Talk to the console mouse server.
> gpm_stream_connect(xdm_t)
> gpm_setattr_gpmctl(xdm_t)
> ')
>
> optional_policy(`
> + hal_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> hostname_exec(xdm_t)
> ')
>
> @@ -539,10 +556,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> resmgr_stream_connect(xdm_t)
> ')
>
> optional_policy(`
> + setroubleshoot_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(xdm_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>
> ########################################
> ##
> +## Send a dbus message to the audit
> +## dispatcher.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`logging_dbus_send_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> +')
Not required use logging_dbus_chat_audisp()
Although i doubt that audisp has dbus functionality at all in the first
place. (i may well be wrong)
> +########################################
> +##
> +## Send and receive messages from
> +## the audit dispatcher over dbus.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`logging_dbus_chat_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> + allow audisp_t $1:dbus send_msg;
> +')
> +
> +########################################
> +##
> ## Manage the auditd configuration files.
> ##
> ##
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
> @@ -246,6 +246,10 @@ optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
>
> +optional_policy(`
> + setroubleshoot_dbus_send(audisp_t)
> +')
This should take care of chatting to audisp_t so the logging interfaces
above may no longer be needed.
I would have used setroubleshoot_dbus_chat() though
> +
> ########################################
> #
> # Audit remote logger local policy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09i7UACgkQMlxVo39jgT+cUQCdHMSGVR5jlCuUUm2m4CYUk2Fg
0WgAoMIlhCedmNrZsRVtFFJKi1JRJKh0
=sFuj
-----END PGP SIGNATURE-----