selinux-policy/policy/modules/services/dbus.if

526 lines
12 KiB
Plaintext
Raw Normal View History

2005-08-31 20:58:12 +00:00
## <summary>Desktop messaging bus</summary>
2005-11-25 16:43:03 +00:00
########################################
## <summary>
## DBUS stub interface. No access allowed.
## </summary>
2008-06-24 14:43:47 +00:00
## <param name="domain" unused="true">
## <summary>
2008-06-24 14:43:47 +00:00
## Domain allowed access
## </summary>
2005-11-25 16:43:03 +00:00
## </param>
#
interface(`dbus_stub',`
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
2005-11-25 16:43:03 +00:00
')
')
2008-11-05 16:10:46 +00:00
########################################
2005-08-31 20:58:12 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## Role access for dbus
2005-08-31 20:58:12 +00:00
## </summary>
2008-11-05 16:10:46 +00:00
## <param name="role_prefix">
## <summary>
2008-11-05 16:10:46 +00:00
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
2005-08-31 20:58:12 +00:00
## </param>
2008-11-05 16:10:46 +00:00
## <param name="role">
## <summary>
2008-11-05 16:10:46 +00:00
## Role allowed access
## </summary>
2005-08-31 20:58:12 +00:00
## </param>
2008-11-05 16:10:46 +00:00
## <param name="domain">
## <summary>
2008-11-05 16:10:46 +00:00
## User domain for the role
## </summary>
2005-08-31 20:58:12 +00:00
## </param>
#
2008-11-05 16:10:46 +00:00
template(`dbus_role_template',`
2007-09-07 13:41:20 +00:00
gen_require(`
class dbus { send_msg acquire_svc };
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible.
2010-09-17 07:49:15 +00:00
attribute dbusd_unconfined, session_bus_type;
2008-11-05 16:10:46 +00:00
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
2010-08-26 13:41:21 +00:00
type $1_t;
2007-09-07 13:41:20 +00:00
')
2005-10-19 14:36:04 +00:00
2005-08-31 20:58:12 +00:00
##############################
#
# Delcarations
#
2005-09-01 13:34:45 +00:00
2008-11-05 16:10:46 +00:00
type $1_dbusd_t, session_bus_type;
domain_type($1_dbusd_t)
domain_entry_file($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
2005-08-31 20:58:12 +00:00
##############################
#
# Local policy
#
allow $1_dbusd_t self:process { getattr sigkill signal };
2007-09-07 13:41:20 +00:00
dontaudit $1_dbusd_t self:process ptrace;
2005-09-16 19:36:10 +00:00
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
2005-08-31 20:58:12 +00:00
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
2005-09-01 13:34:45 +00:00
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
2005-09-16 19:36:10 +00:00
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
2005-08-31 20:58:12 +00:00
2005-09-01 13:34:45 +00:00
# For connecting to the bus
2008-11-05 16:10:46 +00:00
allow $3 $1_dbusd_t:unix_stream_socket connectto;
2005-09-01 13:34:45 +00:00
# SE-DBus specific permissions
2010-08-26 13:41:21 +00:00
allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
2008-11-05 16:10:46 +00:00
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
2005-09-01 13:34:45 +00:00
2006-12-12 20:08:08 +00:00
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
2005-08-31 20:58:12 +00:00
2008-11-05 16:10:46 +00:00
manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
2005-08-31 20:58:12 +00:00
2008-11-05 16:10:46 +00:00
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process { ptrace signal_perms };
2005-08-31 20:58:12 +00:00
2007-09-07 13:41:20 +00:00
# cjp: this seems very broken
2010-08-26 13:41:21 +00:00
corecmd_bin_domtrans($1_dbusd_t, $1_t)
2008-11-05 16:10:46 +00:00
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
2007-09-07 13:41:20 +00:00
2005-08-31 20:58:12 +00:00
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
2005-08-31 20:58:12 +00:00
corecmd_list_bin($1_dbusd_t)
2006-02-02 21:08:12 +00:00
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
2005-08-31 20:58:12 +00:00
corenet_all_recvfrom_unlabeled($1_dbusd_t)
corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_generic_if($1_dbusd_t)
corenet_tcp_sendrecv_generic_node($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
corenet_tcp_bind_generic_node($1_dbusd_t)
corenet_tcp_bind_reserved_port($1_dbusd_t)
dev_read_urand($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
2009-07-27 13:46:35 +00:00
domain_read_all_domains_state($1_dbusd_t)
2005-08-31 20:58:12 +00:00
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
files_read_usr_files($1_dbusd_t)
files_dontaudit_search_var($1_dbusd_t)
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
fs_list_inotifyfs($1_dbusd_t)
2010-05-03 13:34:42 +00:00
fs_dontaudit_list_nfs($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
selinux_compute_access_vector($1_dbusd_t)
selinux_compute_create_context($1_dbusd_t)
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
auth_read_pam_console_data($1_dbusd_t)
auth_use_nsswitch($1_dbusd_t)
logging_send_audit_msgs($1_dbusd_t)
2005-08-31 20:58:12 +00:00
logging_send_syslog_msg($1_dbusd_t)
miscfiles_read_localization($1_dbusd_t)
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
2010-05-03 13:34:42 +00:00
term_use_all_terms($1_dbusd_t)
2010-08-26 13:41:21 +00:00
userdom_dontaudit_search_admin_dir($1_dbusd_t)
userdom_manage_user_home_content_dirs($1_dbusd_t)
userdom_manage_user_home_content_files($1_dbusd_t)
userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
2007-09-07 13:41:20 +00:00
ifdef(`hide_broken_symptoms', `
2008-11-05 16:10:46 +00:00
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
2007-09-07 13:41:20 +00:00
')
2010-08-26 13:41:21 +00:00
optional_policy(`
gnome_read_gconf_home_files($1_dbusd_t)
')
optional_policy(`
hal_dbus_chat($1_dbusd_t)
2005-08-31 20:58:12 +00:00
')
optional_policy(`
xserver_search_xdm_lib($1_dbusd_t)
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
2005-09-16 19:36:10 +00:00
')
2005-08-31 20:58:12 +00:00
')
#######################################
## <summary>
## Template for creating connections to
## the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-08-31 20:58:12 +00:00
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`dbus_system_bus_client',`
2005-09-01 13:34:45 +00:00
gen_require(`
type system_dbusd_t, system_dbusd_t;
2007-09-07 13:41:20 +00:00
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
2005-09-01 13:34:45 +00:00
class dbus send_msg;
2010-08-26 13:41:21 +00:00
attribute dbusd_unconfined;
2005-09-01 13:34:45 +00:00
')
2005-08-31 20:58:12 +00:00
# SE-DBus specific permissions
2008-11-05 16:10:46 +00:00
allow $1 { system_dbusd_t self }:dbus send_msg;
2010-08-26 13:41:21 +00:00
allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
2005-08-31 20:58:12 +00:00
2008-11-05 16:10:46 +00:00
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
2007-09-07 13:41:20 +00:00
2005-08-31 20:58:12 +00:00
# For connecting to the bus
2008-11-05 16:10:46 +00:00
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
2005-08-31 20:58:12 +00:00
')
2005-09-01 13:34:45 +00:00
2006-03-08 20:09:42 +00:00
#######################################
## <summary>
## Template for creating connections to
## a user DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2006-03-08 20:09:42 +00:00
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`dbus_session_bus_client',`
2006-03-08 20:09:42 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
attribute session_bus_type;
2006-03-08 20:09:42 +00:00
class dbus send_msg;
')
# SE-DBus specific permissions
2008-11-05 16:10:46 +00:00
allow $1 { session_bus_type self }:dbus send_msg;
2006-03-08 20:09:42 +00:00
# For connecting to the bus
2008-11-05 16:10:46 +00:00
allow $1 session_bus_type:unix_stream_socket connectto;
2006-03-08 20:09:42 +00:00
')
########################################
## <summary>
2008-11-05 16:10:46 +00:00
## Send a message the session DBUS.
2006-03-08 20:09:42 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`dbus_send_session_bus',`
2006-03-08 20:09:42 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
attribute session_bus_type;
2006-03-08 20:09:42 +00:00
class dbus send_msg;
')
2008-11-05 16:10:46 +00:00
allow $1 session_bus_type:dbus send_msg;
2006-03-08 20:09:42 +00:00
')
2006-01-06 22:51:40 +00:00
########################################
## <summary>
## Read dbus configuration.
## </summary>
## <param name="domain">
## <summary>
2006-01-06 22:51:40 +00:00
## Domain allowed access.
## </summary>
2006-01-06 22:51:40 +00:00
## </param>
#
interface(`dbus_read_config',`
gen_require(`
type dbusd_etc_t;
')
2007-09-07 13:41:20 +00:00
allow $1 dbusd_etc_t:dir list_dir_perms;
2006-12-12 20:08:08 +00:00
allow $1 dbusd_etc_t:file read_file_perms;
2006-01-06 22:51:40 +00:00
')
2005-09-02 20:29:52 +00:00
########################################
## <summary>
2010-05-03 13:34:42 +00:00
## Read system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_manage_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Connect to the system DBUS
2009-07-27 13:46:35 +00:00
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus acquire_svc;
')
allow $1 session_bus_type:dbus acquire_svc;
')
2010-05-03 13:34:42 +00:00
########################################
## <summary>
## Allow a application domain to be started
## by the session dbus.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an
## entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_session_domain',`
gen_require(`
attribute session_bus_type;
')
domtrans_pattern(session_bus_type, $2, $1)
dbus_session_bus_client($1)
dbus_connect_session_bus($1)
')
2009-07-27 13:46:35 +00:00
########################################
## <summary>
## Connect to the system DBUS
2005-09-02 20:29:52 +00:00
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
2005-09-02 20:29:52 +00:00
## Domain allowed access.
## </summary>
2005-09-02 20:29:52 +00:00
## </param>
#
interface(`dbus_connect_system_bus',`
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
')
2005-09-01 13:34:45 +00:00
########################################
## <summary>
## Send a message on the system DBUS.
## </summary>
## <param name="domain">
## <summary>
2005-09-01 13:34:45 +00:00
## Domain allowed access.
## </summary>
2005-09-01 13:34:45 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`dbus_send_system_bus',`
2005-09-01 13:34:45 +00:00
gen_require(`
type system_dbusd_t;
class dbus send_msg;
')
allow $1 system_dbusd_t:dbus send_msg;
')
2005-09-21 14:49:41 +00:00
########################################
## <summary>
## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
2005-09-21 14:49:41 +00:00
## Domain allowed access.
## </summary>
2005-09-21 14:49:41 +00:00
## </param>
#
interface(`dbus_system_bus_unconfined',`
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
allow $1 system_dbusd_t:dbus *;
')
2009-07-27 13:46:35 +00:00
########################################
## <summary>
## Create a domain for processes
## which can be started by the system dbus
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_system_domain',`
gen_require(`
type system_dbusd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(system_dbusd_t, $2, $1)
fs_search_all($1)
2009-07-27 13:46:35 +00:00
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
2010-08-26 13:41:21 +00:00
init_stream_connect($1)
2010-05-03 13:34:42 +00:00
ps_process_pattern(system_dbusd_t, $1)
2010-08-26 13:41:21 +00:00
userdom_dontaudit_search_admin_dir($1)
2010-05-03 13:34:42 +00:00
userdom_read_all_users_state($1)
2010-08-26 13:41:21 +00:00
optional_policy(`
rpm_script_dbus_chat($1)
')
optional_policy(`
unconfined_dbus_send($1)
')
2009-07-27 13:46:35 +00:00
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
########################################
## <summary>
## Dontaudit Read, and write system dbus TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2009-07-27 13:46:35 +00:00
## </summary>
## </param>
#
interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:tcp_socket { read write };
allow $1 system_dbusd_t:fd use;
')
########################################
## <summary>
## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_unconfined',`
gen_require(`
attribute dbusd_unconfined;
')
typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_delete_pid_files',`
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
')