From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 18 Apr 2017 21:51:12 -0400
Subject: [refpolicy] [PATCH] Gnome and Evolution dbus chat permissions
In-Reply-To: <1492538662.17326.1.camel@trentalancia.net>
References: <1492538662.17326.1.camel@trentalancia.net>
Message-ID: <d6335b7a-ff4c-fce2-542b-fe7244bdf260@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/18/2017 02:04 PM, Guido Trentalancia via refpolicy wrote:
> This patch adds assorted permission to chat over dbus needed
> for the correct functioning of Gnome and Evolution.

This didn't apply for me, but may be due to Russell's patches.  One 
other trivial comment below.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/evolution.te |    5 ++++
>  policy/modules/contrib/gnome.if     |   37 ++++++++++++++++++++++++++++++++++++
>  2 files changed, 42 insertions(+)
>
> diff -pru refpolicy-git-18042017-1918-orig/policy/modules/contrib/evolution.te refpolicy-git-18042017-1918/policy/modules/contrib/evolution.te
> --- refpolicy-git-18042017-1918-orig/policy/modules/contrib/evolution.te	2017-03-29 17:58:00.276386397 +0200
> +++ refpolicy-git-18042017-1918/policy/modules/contrib/evolution.te	2017-04-18 19:39:13.184604734 +0200
> @@ -340,6 +340,11 @@ tunable_policy(`use_samba_home_dirs',`
>
>  optional_policy(`
>  	dbus_all_session_bus_client(evolution_alarm_t)
> +	dbus_connect_all_session_bus(evolution_alarm_t)
> +
> +	optional_policy(`
> +		evolution_dbus_chat(evolution_alarm_t)
> +	')
>  ')
>
>  optional_policy(`
> diff -pru refpolicy-git-18042017-1918-orig/policy/modules/contrib/gnome.if refpolicy-git-18042017-1918/policy/modules/contrib/gnome.if
> --- refpolicy-git-18042017-1918-orig/policy/modules/contrib/gnome.if	2017-03-29 17:58:00.281386397 +0200
> +++ refpolicy-git-18042017-1918/policy/modules/contrib/gnome.if	2017-04-18 19:51:01.702601837 +0200
> @@ -112,8 +112,17 @@ template(`gnome_role_template',`
>  		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>
>  		optional_policy(`
> +			evolution_dbus_chat($1_gkeyringd_t)
> +		')
> +
> +		optional_policy(`
> +			gnome_dbus_chat_gconfd($3)
>  			gnome_dbus_chat_gkeyringd($1, $3)
>  		')
> +
> +		optional_policy(`
> +			wm_dbus_chat($1, $1_gkeyringd_t)
> +		')
>  	')
>  ')
>
> @@ -682,6 +691,34 @@ interface(`gnome_read_keyring_home_files
>  ')
>
>  ########################################
> +### <summary>
> +###	Send and receive messages from
> +###	gnome configuration daemon over
> +###	dbus.
> +### </summary>
> +### <param name="role_prefix">
> +###	<summary>
> +###	The prefix of the user domain (e.g., user
> +###	is the prefix for user_t).
> +###	</summary>
> +### </param>
> +### <param name="domain">
> +###	<summary>
> +###	Domain allowed access.
> +###	</summary>
> +### </param>
> +##

Too many #

> +interface(`gnome_dbus_chat_gconfd',`
> +	gen_require(`
> +		type gconfd_t;
> +		class dbus send_msg;
> +	')
> +
> +	allow $1 gconfd_t:dbus send_msg;
> +	allow gconfd_t $1:dbus send_msg;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Send and receive messages from
>  ##	gnome keyring daemon over dbus.


-- 
Chris PeBenito