68ac47d8c5
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
181 lines
5.3 KiB
Plaintext
181 lines
5.3 KiB
Plaintext
policy_module(dbus, 1.13.0)
|
|
|
|
gen_require(`
|
|
class dbus all_dbus_perms;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Delcarations
|
|
#
|
|
|
|
attribute dbusd_unconfined;
|
|
attribute session_bus_type;
|
|
|
|
type dbusd_etc_t;
|
|
files_config_file(dbusd_etc_t)
|
|
|
|
type dbusd_exec_t;
|
|
corecmd_executable_file(dbusd_exec_t)
|
|
typealias dbusd_exec_t alias system_dbusd_exec_t;
|
|
|
|
type session_dbusd_tmp_t;
|
|
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
|
|
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
|
|
files_tmp_file(session_dbusd_tmp_t)
|
|
ubac_constrained(session_dbusd_tmp_t)
|
|
|
|
type system_dbusd_t;
|
|
init_system_domain(system_dbusd_t, dbusd_exec_t)
|
|
|
|
type system_dbusd_tmp_t;
|
|
files_tmp_file(system_dbusd_tmp_t)
|
|
|
|
type system_dbusd_var_lib_t;
|
|
files_type(system_dbusd_var_lib_t)
|
|
|
|
type system_dbusd_var_run_t;
|
|
files_pid_file(system_dbusd_var_run_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# System bus local policy
|
|
#
|
|
|
|
# dac_override: /var/run/dbus is owned by messagebus on Debian
|
|
# cjp: dac_override should probably go in a distro_debian
|
|
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
|
|
dontaudit system_dbusd_t self:capability sys_tty_config;
|
|
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
|
|
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
|
|
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
|
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
|
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
|
# Receive notifications of policy reloads and enforcing status changes.
|
|
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
|
|
|
can_exec(system_dbusd_t, dbusd_exec_t)
|
|
|
|
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
|
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
|
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
|
|
|
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
|
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
|
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
|
|
|
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
|
|
manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
|
|
|
|
kernel_read_system_state(system_dbusd_t)
|
|
kernel_read_kernel_sysctls(system_dbusd_t)
|
|
|
|
dev_read_urand(system_dbusd_t)
|
|
dev_read_sysfs(system_dbusd_t)
|
|
|
|
fs_getattr_all_fs(system_dbusd_t)
|
|
fs_list_inotifyfs(system_dbusd_t)
|
|
fs_search_auto_mountpoints(system_dbusd_t)
|
|
fs_dontaudit_list_nfs(system_dbusd_t)
|
|
|
|
mls_fd_use_all_levels(system_dbusd_t)
|
|
mls_rangetrans_target(system_dbusd_t)
|
|
mls_file_read_all_levels(system_dbusd_t)
|
|
mls_socket_write_all_levels(system_dbusd_t)
|
|
mls_socket_read_to_clearance(system_dbusd_t)
|
|
mls_dbus_recv_all_levels(system_dbusd_t)
|
|
|
|
selinux_get_fs_mount(system_dbusd_t)
|
|
selinux_validate_context(system_dbusd_t)
|
|
selinux_compute_access_vector(system_dbusd_t)
|
|
selinux_compute_create_context(system_dbusd_t)
|
|
selinux_compute_relabel_context(system_dbusd_t)
|
|
selinux_compute_user_contexts(system_dbusd_t)
|
|
|
|
term_dontaudit_use_console(system_dbusd_t)
|
|
|
|
auth_use_nsswitch(system_dbusd_t)
|
|
auth_read_pam_console_data(system_dbusd_t)
|
|
|
|
corecmd_list_bin(system_dbusd_t)
|
|
corecmd_read_bin_pipes(system_dbusd_t)
|
|
corecmd_read_bin_sockets(system_dbusd_t)
|
|
|
|
domain_use_interactive_fds(system_dbusd_t)
|
|
domain_read_all_domains_state(system_dbusd_t)
|
|
|
|
files_read_etc_files(system_dbusd_t)
|
|
files_list_home(system_dbusd_t)
|
|
files_read_usr_files(system_dbusd_t)
|
|
|
|
init_use_fds(system_dbusd_t)
|
|
init_use_script_ptys(system_dbusd_t)
|
|
init_bin_domtrans_spec(system_dbusd_t)
|
|
init_domtrans_script(system_dbusd_t)
|
|
init_rw_stream_sockets(system_dbusd_t)
|
|
|
|
logging_send_audit_msgs(system_dbusd_t)
|
|
logging_send_syslog_msg(system_dbusd_t)
|
|
|
|
miscfiles_read_localization(system_dbusd_t)
|
|
miscfiles_read_generic_certs(system_dbusd_t)
|
|
|
|
seutil_read_config(system_dbusd_t)
|
|
seutil_read_default_contexts(system_dbusd_t)
|
|
seutil_sigchld_newrole(system_dbusd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
|
|
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
|
|
|
|
optional_policy(`
|
|
bind_domtrans(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_exec_gconf(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_initrc_domtrans(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
policykit_dbus_chat(system_dbusd_t)
|
|
policykit_domtrans_auth(system_dbusd_t)
|
|
policykit_search_lib(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_domtrans_dhcpc(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(system_dbusd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unconfined access to this module
|
|
#
|
|
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
|
|
allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
|
|
allow session_bus_type dbusd_unconfined:dbus send_msg;
|
|
|
|
optional_policy(`
|
|
xserver_use_xdm_fds(session_bus_type)
|
|
xserver_rw_xdm_pipes(session_bus_type)
|
|
xserver_append_xdm_home_files(session_bus_type)
|
|
')
|