diff options
| author |   Guido Trentalancia <guido@trentalancia.net> | 2017-05-25 13:23:26 +0200 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2017-06-06 01:16:18 +0800 |
| commit | e2346cfeb76c46e1dbf2afc99f792f053693c899 (patch) | |
| tree | e754a38a8674a910e834a930a6da1ebf50925a15 | |
| parent | Module version bumps for patches from Jason Zaman. (diff) | |
| download | hardened-refpolicy-e2346cfe.tar.gz hardened-refpolicy-e2346cfe.tar.bz2 hardened-refpolicy-e2346cfe.zip | |
dbus: let session bus daemon manage user runtime dirs
Let the session dbus process manage user runtime directories (with
its own file type).
This is the fifth version (v5) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements,
although unfortunately this new version needs to revert one of the
suggested amendments because it was misleading.
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
| -rw-r--r-- | policy/modules/contrib/dbus.fc | 2 | ||||
| -rw-r--r-- | policy/modules/contrib/dbus.te | 8 |
2 files changed, 10 insertions, 0 deletions
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc index c2a15358..eba45221 100644 --- a/policy/modules/contrib/dbus.fc +++ b/policy/modules/contrib/dbus.fc @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index ca39fb6b..007de863 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -210,6 +213,11 @@ manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) |