# # Macros for Dbus # # Author: Colin Walters <walters@redhat.com> # dbusd_domain(domain_prefix) # # Define a derived domain for the DBus daemon. define(`dbusd_domain', ` ifelse(`system', `$1',` daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') # For backwards compatibility typealias system_dbusd_t alias dbusd_t; type etc_dbusd_t, file_type, sysadmfile; ',` type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; role $1_r types $1_dbusd_t; domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) read_locale($1_dbusd_t) allow $1_t $1_dbusd_t:process { sigkill signal }; allow $1_dbusd_t self:process { sigkill signal }; dontaudit $1_dbusd_t var_t:dir { getattr search }; ')dnl end ifelse system base_file_read_access($1_dbusd_t) uses_shlib($1_dbusd_t) allow $1_dbusd_t etc_t:file { getattr read }; r_dir_file($1_dbusd_t, etc_dbusd_t) tmp_domain($1_dbusd) allow $1_dbusd_t self:process fork; can_pipe_xdm($1_dbusd_t) allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t proc_t:file read; can_getsecurity($1_dbusd_t) r_dir_file($1_dbusd_t, default_context_t) allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; ifdef(`pamconsole.te', ` r_dir_file($1_dbusd_t, pam_var_console_t) ') allow $1_dbusd_t self:dbus { send_msg acquire_svc }; ')dnl end dbusd_domain definition # dbusd_client(dbus_type, domain_prefix) # Example: dbusd_client_domain(system, user) # # Define a new derived domain for connecting to dbus_type # from domain_prefix_t. undefine(`dbusd_client') define(`dbusd_client',` ifdef(`dbusd.te',` # Derived type used for connection type $2_dbusd_$1_t; type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; # SE-DBus specific permissions allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; # For connecting to the bus allow $2_t $1_dbusd_t:unix_stream_socket connectto; ifelse(`system', `$1', ` allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; allow { $2_t } system_dbusd_var_run_t:sock_file write; ',`') dnl endif system ') dnl endif dbusd.te ') # can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) # Example: can_dbusd_converse(system, hald, updfstab) # Example: can_dbusd_converse(session, user, user) define(`can_dbusd_converse',`') ifdef(`dbusd.te',` undefine(`can_dbusd_converse') define(`can_dbusd_converse',` allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; ') dnl endif dbusd.te ')