selinux-policy/targeted/macros/program/dbusd_macros.te
2005-11-07 20:09:28 +00:00

91 lines
2.7 KiB
Plaintext

#
# Macros for Dbus
#
# Author: Colin Walters <walters@redhat.com>
# dbusd_domain(domain_prefix)
#
# Define a derived domain for the DBus daemon.
define(`dbusd_domain', `
ifelse(`system', `$1',`
daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
# For backwards compatibility
typealias system_dbusd_t alias dbusd_t;
type etc_dbusd_t, file_type, sysadmfile;
',`
type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
role $1_r types $1_dbusd_t;
domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
read_locale($1_dbusd_t)
allow $1_t $1_dbusd_t:process { sigkill signal };
allow $1_dbusd_t self:process { sigkill signal };
dontaudit $1_dbusd_t var_t:dir { getattr search };
')dnl end ifelse system
base_file_read_access($1_dbusd_t)
uses_shlib($1_dbusd_t)
allow $1_dbusd_t etc_t:file { getattr read };
r_dir_file($1_dbusd_t, etc_dbusd_t)
tmp_domain($1_dbusd)
allow $1_dbusd_t self:process fork;
can_pipe_xdm($1_dbusd_t)
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t proc_t:file read;
can_getsecurity($1_dbusd_t)
r_dir_file($1_dbusd_t, default_context_t)
allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
ifdef(`pamconsole.te', `
r_dir_file($1_dbusd_t, pam_var_console_t)
')
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
')dnl end dbusd_domain definition
# dbusd_client(dbus_type, domain_prefix)
# Example: dbusd_client_domain(system, user)
#
# Define a new derived domain for connecting to dbus_type
# from domain_prefix_t.
undefine(`dbusd_client')
define(`dbusd_client',`
ifdef(`dbusd.te',`
# Derived type used for connection
type $2_dbusd_$1_t;
type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
# SE-DBus specific permissions
allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
# For connecting to the bus
allow $2_t $1_dbusd_t:unix_stream_socket connectto;
ifelse(`system', `$1', `
allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
allow { $2_t } system_dbusd_var_run_t:sock_file write;
',`') dnl endif system
') dnl endif dbusd.te
')
# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
# Example: can_dbusd_converse(system, hald, updfstab)
# Example: can_dbusd_converse(session, user, user)
define(`can_dbusd_converse',`')
ifdef(`dbusd.te',`
undefine(`can_dbusd_converse')
define(`can_dbusd_converse',`
allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
') dnl endif dbusd.te
')