From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 15 Feb 2018 16:57:48 -0500 Subject: [refpolicy] [PATCH] misc dbus patches In-Reply-To: <20180213003649.GA17327@xev> References: <20180213003649.GA17327@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > Here is a collection of dbus policy patches, all fairly simple. > > Chris please merge the ones you like and we can discuss any you don't like > afterwards. I merged everything except for the user/groupadd ones, which need explanation: what are they doing with dbus exactly? > Index: refpolicy-2.20180211/policy/modules/contrib/apt.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te > +++ refpolicy-2.20180211/policy/modules/contrib/apt.te > @@ -148,6 +148,11 @@ optional_policy(` > ') > > optional_policy(` > + # for packagekitd > + policykit_dbus_chat(apt_t) > +') > + > +optional_policy(` > # rkhunter trigger > rkhunter_domtrans(apt_t) > ') > @@ -159,4 +164,5 @@ optional_policy(` > > optional_policy(` > unconfined_domain(apt_t) > + unconfined_dbus_send(apt_t) > ') > Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te > +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te > @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) > init_all_labeled_script_domtrans(system_dbusd_t) > init_start_system(system_dbusd_t) # needed by dbus-broker > > +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* > +libs_exec_lib_files(system_dbusd_t) > + > logging_send_audit_msgs(system_dbusd_t) > logging_send_syslog_msg(system_dbusd_t) > > Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te > +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te > @@ -194,6 +194,11 @@ optional_policy(` > ') > > optional_policy(` > + # gwenview triggers the need for this > + xserver_dbus_chat_xdm(devicekit_disk_t) > +') > + > +optional_policy(` > virt_manage_images(devicekit_disk_t) > ') > > @@ -287,6 +292,7 @@ optional_policy(` > > optional_policy(` > dbus_system_bus_client(devicekit_power_t) > + init_dbus_chat(devicekit_power_t) > > allow devicekit_power_t devicekit_t:dbus send_msg; > > Index: refpolicy-2.20180211/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/init.te > +++ refpolicy-2.20180211/policy/modules/system/init.te > @@ -509,6 +509,7 @@ optional_policy(` > > optional_policy(` > unconfined_domain(init_t) > + unconfined_dbus_send(init_t) > ') > > ######################################## > Index: refpolicy-2.20180211/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20180211/policy/modules/system/systemd.te > @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho > optional_policy(` > dbus_connect_system_bus(systemd_hostnamed_t) > dbus_system_bus_client(systemd_hostnamed_t) > + init_dbus_chat(systemd_hostnamed_t) > ') > > optional_policy(` > @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy > userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) > userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) > userdom_delete_all_user_runtime_symlinks(systemd_logind_t) > +# user_tmp_t is for the dbus-1 directory > +userdom_list_user_tmp(systemd_logind_t) > userdom_manage_user_runtime_dirs(systemd_logind_t) > userdom_manage_user_runtime_root_dirs(systemd_logind_t) > userdom_mounton_user_runtime_dirs(systemd_logind_t) > @@ -482,6 +485,9 @@ optional_policy(` > optional_policy(` > networkmanager_dbus_chat(systemd_logind_t) > ') > +optional_policy(` > + modemmanager_dbus_chat(systemd_logind_t) > +') > > optional_policy(` > policykit_dbus_chat(systemd_logind_t) > @@ -753,6 +759,10 @@ optional_policy(` > ') > > optional_policy(` > + unconfined_dbus_send(systemd_machined_t) > +') > + > +optional_policy(` > virt_manage_virt_content(systemd_nspawn_t) > ') > > Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te > +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > @@ -222,6 +222,7 @@ optional_policy(` > > optional_policy(` > dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) > + init_dbus_chat(NetworkManager_t) > > optional_policy(` > avahi_dbus_chat(NetworkManager_t) > Index: refpolicy-2.20180211/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20180211/policy/modules/system/locallogin.te > @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi > ifdef(`init_systemd',` > auth_manage_faillog(local_login_t) > > + init_dbus_chat(local_login_t) > systemd_dbus_chat_logind(local_login_t) > systemd_use_logind_fds(local_login_t) > systemd_manage_logind_pid_pipes(local_login_t) > Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te > +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > optional_policy(` > + dbus_system_bus_client(groupadd_t) > +') > + > +optional_policy(` > dpkg_use_fds(groupadd_t) > dpkg_rw_pipes(groupadd_t) > ') > @@ -538,6 +542,10 @@ optional_policy(` > ') > > optional_policy(` > + dbus_system_bus_client(useradd_t) > +') > + > +optional_policy(` > dpkg_use_fds(useradd_t) > dpkg_rw_pipes(useradd_t) > ') > Index: refpolicy-2.20180211/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20180211/policy/modules/system/unconfined.te > @@ -116,6 +116,10 @@ optional_policy(` > ') > > optional_policy(` > + modemmanager_dbus_chat(unconfined_t) > +') > + > +optional_policy(` > modutils_run(unconfined_t, unconfined_r) > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito