2005-10-21 18:05:21 +00:00
|
|
|
#
|
|
|
|
# Macros for Dbus
|
|
|
|
#
|
|
|
|
# Author: Colin Walters <walters@redhat.com>
|
|
|
|
|
|
|
|
# dbusd_domain(domain_prefix)
|
|
|
|
#
|
|
|
|
# Define a derived domain for the DBus daemon.
|
|
|
|
|
|
|
|
define(`dbusd_domain', `
|
|
|
|
ifelse(`system', `$1',`
|
|
|
|
daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
|
|
|
|
# For backwards compatibility
|
|
|
|
typealias system_dbusd_t alias dbusd_t;
|
|
|
|
type etc_dbusd_t, file_type, sysadmfile;
|
|
|
|
',`
|
|
|
|
type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
|
|
|
|
role $1_r types $1_dbusd_t;
|
|
|
|
domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
|
|
|
|
read_locale($1_dbusd_t)
|
|
|
|
allow $1_t $1_dbusd_t:process { sigkill signal };
|
|
|
|
allow $1_dbusd_t self:process { sigkill signal };
|
|
|
|
dontaudit $1_dbusd_t var_t:dir { getattr search };
|
|
|
|
')dnl end ifelse system
|
|
|
|
|
|
|
|
base_file_read_access($1_dbusd_t)
|
|
|
|
uses_shlib($1_dbusd_t)
|
|
|
|
allow $1_dbusd_t etc_t:file { getattr read };
|
|
|
|
r_dir_file($1_dbusd_t, etc_dbusd_t)
|
|
|
|
tmp_domain($1_dbusd)
|
|
|
|
allow $1_dbusd_t self:process fork;
|
|
|
|
can_pipe_xdm($1_dbusd_t)
|
|
|
|
|
|
|
|
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
|
|
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
|
|
|
|
allow $1_dbusd_t self:file { getattr read write };
|
|
|
|
allow $1_dbusd_t proc_t:file read;
|
|
|
|
|
|
|
|
can_getsecurity($1_dbusd_t)
|
|
|
|
r_dir_file($1_dbusd_t, default_context_t)
|
2005-11-07 20:09:28 +00:00
|
|
|
allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
|
|
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
2005-10-21 18:05:21 +00:00
|
|
|
|
|
|
|
ifdef(`pamconsole.te', `
|
|
|
|
r_dir_file($1_dbusd_t, pam_var_console_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
|
|
|
|
|
|
|
')dnl end dbusd_domain definition
|
|
|
|
|
|
|
|
# dbusd_client(dbus_type, domain_prefix)
|
|
|
|
# Example: dbusd_client_domain(system, user)
|
|
|
|
#
|
|
|
|
# Define a new derived domain for connecting to dbus_type
|
|
|
|
# from domain_prefix_t.
|
|
|
|
undefine(`dbusd_client')
|
|
|
|
define(`dbusd_client',`
|
|
|
|
|
|
|
|
ifdef(`dbusd.te',`
|
|
|
|
# Derived type used for connection
|
|
|
|
type $2_dbusd_$1_t;
|
|
|
|
type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
|
|
|
|
|
|
|
|
# SE-DBus specific permissions
|
|
|
|
allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
|
|
|
|
|
|
|
# For connecting to the bus
|
|
|
|
allow $2_t $1_dbusd_t:unix_stream_socket connectto;
|
|
|
|
|
|
|
|
ifelse(`system', `$1', `
|
|
|
|
allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
|
|
|
|
allow { $2_t } system_dbusd_var_run_t:sock_file write;
|
|
|
|
',`') dnl endif system
|
|
|
|
') dnl endif dbusd.te
|
|
|
|
')
|
|
|
|
|
|
|
|
# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
|
|
|
|
# Example: can_dbusd_converse(system, hald, updfstab)
|
|
|
|
# Example: can_dbusd_converse(session, user, user)
|
|
|
|
define(`can_dbusd_converse',`')
|
|
|
|
ifdef(`dbusd.te',`
|
|
|
|
undefine(`can_dbusd_converse')
|
|
|
|
define(`can_dbusd_converse',`
|
|
|
|
allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
|
|
|
|
allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
|
|
|
|
') dnl endif dbusd.te
|
|
|
|
')
|