From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 19 Apr 2017 13:23:38 +0200
Subject: [refpolicy] [PATCH] Gnome and Evolution dbus chat permissions
In-Reply-To: <d6335b7a-ff4c-fce2-542b-fe7244bdf260@ieee.org>
References: <1492538662.17326.1.camel@trentalancia.net>
	<d6335b7a-ff4c-fce2-542b-fe7244bdf260@ieee.org>
Message-ID: <D2FE545B-2077-4ACA-BCEE-230135349DAF@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello. 

This patch is very important: for example, the password remembering functionality in Evolution depends on it!

I will rebase it, fix the comment format and repost it in a few hours. 

Thanks, 

Guido 

On the 19th of April 2017 03:51:12 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 04/18/2017 02:04 PM, Guido Trentalancia via refpolicy wrote:
>> This patch adds assorted permission to chat over dbus needed
>> for the correct functioning of Gnome and Evolution.
>
>This didn't apply for me, but may be due to Russell's patches.  One 
>other trivial comment below.
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/contrib/evolution.te |    5 ++++
>>  policy/modules/contrib/gnome.if     |   37
>++++++++++++++++++++++++++++++++++++
>>  2 files changed, 42 insertions(+)
>>
>> diff -pru
>refpolicy-git-18042017-1918-orig/policy/modules/contrib/evolution.te
>refpolicy-git-18042017-1918/policy/modules/contrib/evolution.te
>> ---
>refpolicy-git-18042017-1918-orig/policy/modules/contrib/evolution.te	2017-03-29
>17:58:00.276386397 +0200
>> +++
>refpolicy-git-18042017-1918/policy/modules/contrib/evolution.te	2017-04-18
>19:39:13.184604734 +0200
>> @@ -340,6 +340,11 @@ tunable_policy(`use_samba_home_dirs',`
>>
>>  optional_policy(`
>>  	dbus_all_session_bus_client(evolution_alarm_t)
>> +	dbus_connect_all_session_bus(evolution_alarm_t)
>> +
>> +	optional_policy(`
>> +		evolution_dbus_chat(evolution_alarm_t)
>> +	')
>>  ')
>>
>>  optional_policy(`
>> diff -pru
>refpolicy-git-18042017-1918-orig/policy/modules/contrib/gnome.if
>refpolicy-git-18042017-1918/policy/modules/contrib/gnome.if
>> ---
>refpolicy-git-18042017-1918-orig/policy/modules/contrib/gnome.if	2017-03-29
>17:58:00.281386397 +0200
>> +++
>refpolicy-git-18042017-1918/policy/modules/contrib/gnome.if	2017-04-18
>19:51:01.702601837 +0200
>> @@ -112,8 +112,17 @@ template(`gnome_role_template',`
>>  		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>>
>>  		optional_policy(`
>> +			evolution_dbus_chat($1_gkeyringd_t)
>> +		')
>> +
>> +		optional_policy(`
>> +			gnome_dbus_chat_gconfd($3)
>>  			gnome_dbus_chat_gkeyringd($1, $3)
>>  		')
>> +
>> +		optional_policy(`
>> +			wm_dbus_chat($1, $1_gkeyringd_t)
>> +		')
>>  	')
>>  ')
>>
>> @@ -682,6 +691,34 @@ interface(`gnome_read_keyring_home_files
>>  ')
>>
>>  ########################################
>> +### <summary>
>> +###	Send and receive messages from
>> +###	gnome configuration daemon over
>> +###	dbus.
>> +### </summary>
>> +### <param name="role_prefix">
>> +###	<summary>
>> +###	The prefix of the user domain (e.g., user
>> +###	is the prefix for user_t).
>> +###	</summary>
>> +### </param>
>> +### <param name="domain">
>> +###	<summary>
>> +###	Domain allowed access.
>> +###	</summary>
>> +### </param>
>> +##
>
>Too many #
>
>> +interface(`gnome_dbus_chat_gconfd',`
>> +	gen_require(`
>> +		type gconfd_t;
>> +		class dbus send_msg;
>> +	')
>> +
>> +	allow $1 gconfd_t:dbus send_msg;
>> +	allow gconfd_t $1:dbus send_msg;
>> +')
>> +
>> +########################################
>>  ## <summary>
>>  ##	Send and receive messages from
>>  ##	gnome keyring daemon over dbus.