Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/dbus.te
blob: ea3d8d2694b113fa41421e52e1cc4e1ed6a2569d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

policy_module(dbus, 1.16.0)

gen_require(`
	class dbus all_dbus_perms;
')

##############################
#
# Delcarations
#

attribute dbusd_unconfined;
attribute session_bus_type;

type dbusd_etc_t;
files_config_file(dbusd_etc_t)

type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;

type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
userdom_user_tmp_file(session_dbusd_tmp_t)

type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)

type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)

type system_dbusd_var_lib_t;
files_type(system_dbusd_var_lib_t)

type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)

ifdef(`enable_mcs',`
	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')

##############################
#
# System bus local policy
#

# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };

can_exec(system_dbusd_t, dbusd_exec_t)

allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)

manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })

read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)

manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)

kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)

dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)

fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)

mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
mls_socket_write_all_levels(system_dbusd_t)
mls_socket_read_to_clearance(system_dbusd_t)
mls_dbus_recv_all_levels(system_dbusd_t)

selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
selinux_compute_access_vector(system_dbusd_t)
selinux_compute_create_context(system_dbusd_t)
selinux_compute_relabel_context(system_dbusd_t)
selinux_compute_user_contexts(system_dbusd_t)

term_dontaudit_use_console(system_dbusd_t)

auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)

corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)

domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)

files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
files_read_usr_files(system_dbusd_t)

init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_domtrans_script(system_dbusd_t)

logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)

miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)

seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
seutil_sigchld_newrole(system_dbusd_t)

userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)

optional_policy(`
	bind_domtrans(system_dbusd_t)
')

optional_policy(`
	policykit_dbus_chat(system_dbusd_t)
	policykit_domtrans_auth(system_dbusd_t)
	policykit_search_lib(system_dbusd_t)
')

optional_policy(`
	sysnet_domtrans_dhcpc(system_dbusd_t)
')

optional_policy(`
	udev_read_db(system_dbusd_t)
')

########################################
#
# Unconfined access to this module
#

allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;