From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 31 Jan 2011 13:52:34 -0500
Subject: [refpolicy] [PATCH/RFC 2/19]: patch set to update the git
 reference policy
In-Reply-To: <4D3D8BB5.4010501@gmail.com>
References: <1295829832.3862.61.camel@tesla.lan> <4D3D8BB5.4010501@gmail.com>
Message-ID: <4D4704F2.7080604@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/24/2011 9:24 AM, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:

Please include descriptions on each of your patches.  The subject is 
definitely insufficient.  I guess this is all the dbus changes you 
suggest?  More

>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
>> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if	2011-01-08 19:07:21.176730930 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if	2011-01-23 22:00:15.084140029 +0100
>> @@ -1 +1,42 @@
>>   ##<summary>Command-line CPU frequency settings.</summary>
>> +
[cut]

>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
>> --- refpolicy-git-18012011/policy/modules/system/logging.if	2011-01-08 19:07:21.355759202 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if	2011-01-23 22:00:15.130147425 +0100
>> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>>
>>   ########################################
>>   ##<summary>
>> +##      Send a dbus message to the audit
>> +##      dispatcher.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +##      Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_send_dispatcher',`
>> +	gen_require(`
>> +		type audisp_t;
>> +		class dbus send_msg;
>> +	')
>> +
>> +	allow $1 audisp_t:dbus send_msg;
>> +')
>
>
> Not required use logging_dbus_chat_audisp()
>
> Although i doubt that audisp has dbus functionality at all in the first
> place. (i may well be wrong)

I believe the purpose of this dbus functionality is for auditd to send 
(via audisp) a message to setroubleshoot when there is a denial.

>> +########################################
>> +##<summary>
>> +##      Send and receive messages from
>> +##      the audit dispatcher over dbus.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +##      Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_chat_dispatcher',`
>> +	gen_require(`
>> +		type audisp_t;
>> +		class dbus send_msg;
>> +	')
>> +
>> +	allow $1 audisp_t:dbus send_msg;
>> +	allow audisp_t $1:dbus send_msg;
>> +')
>> +
>> +########################################
>> +##<summary>
>>   ##	Manage the auditd configuration files.
>>   ##</summary>
>>   ##<param name="domain">
>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
>> --- refpolicy-git-18012011/policy/modules/system/logging.te	2011-01-08 19:07:21.356759360 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te	2011-01-23 22:00:15.134148069 +0100
>> @@ -246,6 +246,10 @@ optional_policy(`
>>   	dbus_system_bus_client(audisp_t)
>>   ')
>>
>> +optional_policy(`
>> +	setroubleshoot_dbus_send(audisp_t)
>> +')
>
> This should take care of chatting to audisp_t so the logging interfaces
> above may no longer be needed.
>
> I would have used setroubleshoot_dbus_chat() though

Its unclear, though I would think that send would be sufficient.  I 
don't see a need for there to be a response to audisp.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com