From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 19 Apr 2017 15:37:16 +0200 Subject: [refpolicy] [PATCH v3] Gnome and Evolution dbus chat permissions In-Reply-To: <201704192324.00045.russell@coker.com.au> References: <1492538662.17326.1.camel@trentalancia.net> <1492606444.4994.9.camel@trentalancia.net> <201704192324.00045.russell@coker.com.au> Message-ID: <1492609036.4994.15.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch adds assorted permission to chat over dbus needed for the correct functioning of Gnome and Evolution. The second version, simply removes an extra "#" prefix from the comments. This third version, rebases the patch so that it applies to the most recent git tree (thanks to Christopher PeBenito and Russell Coker for pointing that out). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.te | 4 +++ policy/modules/contrib/gnome.if | 37 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/evolution.te refpolicy-git-19042017/policy/modules/contrib/evolution.te --- refpolicy-git-19042017-orig/policy/modules/contrib/evolution.te 2017-04-19 15:24:48.035784797 +0200 +++ refpolicy-git-19042017/policy/modules/contrib/evolution.te 2017-04-19 15:29:03.587783753 +0200 @@ -345,6 +345,10 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_all_session_bus_client(evolution_alarm_t) dbus_connect_all_session_bus(evolution_alarm_t) + + optional_policy(` + evolution_dbus_chat(evolution_alarm_t) + ') ') optional_policy(` diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/gnome.if refpolicy-git-19042017/policy/modules/contrib/gnome.if --- refpolicy-git-19042017-orig/policy/modules/contrib/gnome.if 2017-03-29 17:58:00.281386397 +0200 +++ refpolicy-git-19042017/policy/modules/contrib/gnome.if 2017-04-19 15:25:22.778784655 +0200 @@ -112,8 +112,17 @@ template(`gnome_role_template',` dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + evolution_dbus_chat($1_gkeyringd_t) + ') + + optional_policy(` + gnome_dbus_chat_gconfd($3) gnome_dbus_chat_gkeyringd($1, $3) ') + + optional_policy(` + wm_dbus_chat($1, $1_gkeyringd_t) + ') ') ') @@ -682,6 +691,34 @@ interface(`gnome_read_keyring_home_files ') ######################################## +## +## Send and receive messages from +## gnome configuration daemon over +## dbus. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## ## ## Send and receive messages from ## gnome keyring daemon over dbus.