From: russell@coker.com.au (Russell Coker) Date: Tue, 13 Feb 2018 11:36:49 +1100 Subject: [refpolicy] [PATCH] misc dbus patches Message-ID: <20180213003649.GA17327@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here is a collection of dbus policy patches, all fairly simple. Chris please merge the ones you like and we can discuss any you don't like afterwards. Index: refpolicy-2.20180211/policy/modules/contrib/apt.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te +++ refpolicy-2.20180211/policy/modules/contrib/apt.te @@ -148,6 +148,11 @@ optional_policy(` ') optional_policy(` + # for packagekitd + policykit_dbus_chat(apt_t) +') + +optional_policy(` # rkhunter trigger rkhunter_domtrans(apt_t) ') @@ -159,4 +164,5 @@ optional_policy(` optional_policy(` unconfined_domain(apt_t) + unconfined_dbus_send(apt_t) ') Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) init_all_labeled_script_domtrans(system_dbusd_t) init_start_system(system_dbusd_t) # needed by dbus-broker +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* +libs_exec_lib_files(system_dbusd_t) + logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te @@ -194,6 +194,11 @@ optional_policy(` ') optional_policy(` + # gwenview triggers the need for this + xserver_dbus_chat_xdm(devicekit_disk_t) +') + +optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -287,6 +292,7 @@ optional_policy(` optional_policy(` dbus_system_bus_client(devicekit_power_t) + init_dbus_chat(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; Index: refpolicy-2.20180211/policy/modules/system/init.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/init.te +++ refpolicy-2.20180211/policy/modules/system/init.te @@ -509,6 +509,7 @@ optional_policy(` optional_policy(` unconfined_domain(init_t) + unconfined_dbus_send(init_t) ') ######################################## Index: refpolicy-2.20180211/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180211/policy/modules/system/systemd.te @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho optional_policy(` dbus_connect_system_bus(systemd_hostnamed_t) dbus_system_bus_client(systemd_hostnamed_t) + init_dbus_chat(systemd_hostnamed_t) ') optional_policy(` @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) userdom_delete_all_user_runtime_symlinks(systemd_logind_t) +# user_tmp_t is for the dbus-1 directory +userdom_list_user_tmp(systemd_logind_t) userdom_manage_user_runtime_dirs(systemd_logind_t) userdom_manage_user_runtime_root_dirs(systemd_logind_t) userdom_mounton_user_runtime_dirs(systemd_logind_t) @@ -482,6 +485,9 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(systemd_logind_t) ') +optional_policy(` + modemmanager_dbus_chat(systemd_logind_t) +') optional_policy(` policykit_dbus_chat(systemd_logind_t) @@ -753,6 +759,10 @@ optional_policy(` ') optional_policy(` + unconfined_dbus_send(systemd_machined_t) +') + +optional_policy(` virt_manage_virt_content(systemd_nspawn_t) ') Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te @@ -222,6 +222,7 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + init_dbus_chat(NetworkManager_t) optional_policy(` avahi_dbus_chat(NetworkManager_t) Index: refpolicy-2.20180211/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20180211/policy/modules/system/locallogin.te @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi ifdef(`init_systemd',` auth_manage_faillog(local_login_t) + init_dbus_chat(local_login_t) systemd_dbus_chat_logind(local_login_t) systemd_use_logind_fds(local_login_t) systemd_manage_logind_pid_pipes(local_login_t) Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + dbus_system_bus_client(groupadd_t) +') + +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') @@ -538,6 +542,10 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(useradd_t) +') + +optional_policy(` dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') Index: refpolicy-2.20180211/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20180211/policy/modules/system/unconfined.te @@ -116,6 +116,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(unconfined_t) +') + +optional_policy(` modutils_run(unconfined_t, unconfined_r) ')