rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
bbdbce34c2
selinux-policy/policy/modules/services/dbus.if
Dan Walsh 0a394bf04f Add vnstat policy 
allow logrotate to mail syslog files
Allow chrom-sandbox to search nfs_t
Allow libvirt to send audit messages
Dontaudit leaked console to xauth
2010-09-16 17:46:06 -04:00

526 lines
12 KiB
Plaintext
Raw Blame History

## <summary>Desktop messaging bus</summary>
########################################
## <summary>
## DBUS stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`dbus_stub',`
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
')
########################################
## <summary>
## Role access for dbus
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
attribute dbusd_unconfined;
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
type $1_t;
')
##############################
#
# Delcarations
#
type $1_dbusd_t, session_bus_type;
domain_type($1_dbusd_t)
domain_entry_file($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
##############################
#
# Local policy
#
allow $1_dbusd_t self:process { getattr sigkill signal };
dontaudit $1_dbusd_t self:process ptrace;
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
allow $3 $1_dbusd_t:process { signull sigkill signal };
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
corenet_all_recvfrom_unlabeled($1_dbusd_t)
corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_generic_if($1_dbusd_t)
corenet_tcp_sendrecv_generic_node($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
corenet_tcp_bind_generic_node($1_dbusd_t)
corenet_tcp_bind_reserved_port($1_dbusd_t)
dev_read_urand($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
files_read_usr_files($1_dbusd_t)
files_dontaudit_search_var($1_dbusd_t)
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
fs_list_inotifyfs($1_dbusd_t)
fs_dontaudit_list_nfs($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
selinux_compute_access_vector($1_dbusd_t)
selinux_compute_create_context($1_dbusd_t)
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
auth_read_pam_console_data($1_dbusd_t)
auth_use_nsswitch($1_dbusd_t)
logging_send_audit_msgs($1_dbusd_t)
logging_send_syslog_msg($1_dbusd_t)
miscfiles_read_localization($1_dbusd_t)
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
term_use_all_terms($1_dbusd_t)
userdom_dontaudit_search_admin_dir($1_dbusd_t)
userdom_manage_user_home_content_dirs($1_dbusd_t)
userdom_manage_user_home_content_files($1_dbusd_t)
userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
optional_policy(`
gnome_read_gconf_home_files($1_dbusd_t)
')
optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
optional_policy(`
xserver_search_xdm_lib($1_dbusd_t)
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
')
#######################################
## <summary>
## Template for creating connections to
## the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_system_bus_client',`
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
# For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
')
#######################################
## <summary>
## Template for creating connections to
## a user DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_session_bus_client',`
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
# SE-DBus specific permissions
allow $1 { session_bus_type self }:dbus send_msg;
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
## <summary>
## Send a message the session DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_send_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
allow $1 session_bus_type:dbus send_msg;
')
########################################
## <summary>
## Read dbus configuration.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_config',`
gen_require(`
type dbusd_etc_t;
')
allow $1 dbusd_etc_t:dir list_dir_perms;
allow $1 dbusd_etc_t:file read_file_perms;
')
########################################
## <summary>
## Read system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_manage_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Connect to the system DBUS
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus acquire_svc;
')
allow $1 session_bus_type:dbus acquire_svc;
')
########################################
## <summary>
## Allow a application domain to be started
## by the session dbus.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an
## entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_session_domain',`
gen_require(`
attribute session_bus_type;
')
domtrans_pattern(session_bus_type, $2, $1)
dbus_session_bus_client($1)
dbus_connect_session_bus($1)
')
########################################
## <summary>
## Connect to the system DBUS
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_connect_system_bus',`
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
')
########################################
## <summary>
## Send a message on the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_send_system_bus',`
gen_require(`
type system_dbusd_t;
class dbus send_msg;
')
allow $1 system_dbusd_t:dbus send_msg;
')
########################################
## <summary>
## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_system_bus_unconfined',`
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
allow $1 system_dbusd_t:dbus *;
')
########################################
## <summary>
## Create a domain for processes
## which can be started by the system dbus
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_system_domain',`
gen_require(`
type system_dbusd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(system_dbusd_t, $2, $1)
fs_search_all($1)
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
init_stream_connect($1)
ps_process_pattern(system_dbusd_t, $1)
userdom_dontaudit_search_admin_dir($1)
userdom_read_all_users_state($1)
optional_policy(`
rpm_script_dbus_chat($1)
')
optional_policy(`
unconfined_dbus_send($1)
')
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
########################################
## <summary>
## Dontaudit Read, and write system dbus TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:tcp_socket { read write };
allow $1 system_dbusd_t:fd use;
')
########################################
## <summary>
## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_unconfined',`
gen_require(`
attribute dbusd_unconfined;
')
typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_delete_pid_files',`
gen_require(`
type system_dbusd_var_run_t;
')
delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
')
Reference in New Issue View Git Blame Copy Permalink