dbus: add policy for dbus-broker

dbus-broker is a drop in replacement for dbus-daemon. It can therefore
mostly simply rely on the existing dbus policy module. However, it also
needs to have its binaries labeled correctly, and it needs permission to
perform the D-Bus method call StartTransientUnit on PID1, which
dbus-daemon did not.

For details see <https://github.com/bus1/dbus-broker/wiki>.

2 files changed, 3 insertions, 0 deletions

diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index eba45221d..c18fd7fd2 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -8,6 +8,8 @@ HOME_DIR/\.dbus(/.*)?				gen_context(system_u:object_r:session_dbusd_home_t,s0)
 /run/user/%{USERID}/dbus-1(/.*)?		gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
 
 /usr/bin/dbus-daemon(-1)?		--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker-launch		--	gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
+/usr/bin/dbus-broker			--	gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
 
 /usr/lib/dbus-.*/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 280dd8de4..bd8a7d549 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -133,6 +133,7 @@ auth_read_pam_console_data(system_dbusd_t)
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
 init_all_labeled_script_domtrans(system_dbusd_t)
+init_start_system(system_dbusd_t) # needed by dbus-broker
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)