selinux-refpolicy/policy/modules/services/dbus.te

policy_module(dbus, 1.27.0)

gen_require(`
	class dbus all_dbus_perms;
')

########################################
#
# Declarations
#

attribute dbusd_unconfined;
attribute session_bus_type;

attribute dbusd_system_bus_client;
attribute dbusd_session_bus_client;

type dbusd_etc_t;
files_config_file(dbusd_etc_t)

type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;

type dbusd_unit_t;
init_unit_file(dbusd_unit_t)

type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)

type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
userdom_user_tmp_file(session_dbusd_tmp_t)

type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t)

type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)

type system_dbusd_var_lib_t;
files_type(system_dbusd_var_lib_t)

type system_dbusd_runtime_t alias system_dbusd_var_run_t;
files_pid_file(system_dbusd_runtime_t)
init_daemon_pid_file(system_dbusd_runtime_t, dir, "dbus")

type session_dbusd_runtime_t;
files_pid_file(session_dbusd_runtime_t)
userdom_user_runtime_content(session_dbusd_runtime_t)

ifdef(`enable_mcs',`
	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')

########################################
#
# Local policy
#

allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
allow system_dbusd_t self:netlink_selinux_socket { create bind read };

allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)

manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })

read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)

manage_dirs_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
files_pid_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })

can_exec(system_dbusd_t, dbusd_exec_t)

kernel_read_crypto_sysctls(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)

corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
corecmd_exec_shell(system_dbusd_t)

dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)

domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)

files_list_home(system_dbusd_t)
files_read_usr_files(system_dbusd_t)

fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)

mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
mls_socket_write_all_levels(system_dbusd_t)
mls_socket_read_to_clearance(system_dbusd_t)
mls_dbus_recv_all_levels(system_dbusd_t)

selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
selinux_compute_access_vector(system_dbusd_t)
selinux_compute_create_context(system_dbusd_t)
selinux_compute_relabel_context(system_dbusd_t)
selinux_compute_user_contexts(system_dbusd_t)

term_dontaudit_use_console(system_dbusd_t)

auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)

init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
init_start_system(system_dbusd_t) # needed by dbus-broker

# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
libs_exec_lib_files(system_dbusd_t)

logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)

miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)

seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)

userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
# read a file in ~/.local/share
userdom_read_user_home_content_files(system_dbusd_t)

ifdef(`init_systemd', `
	# gdm3 causes system_dbusd_t to want this access
	dev_rw_dri(system_dbusd_t)
	dev_rw_input_dev(system_dbusd_t)

	# for /run/systemd/dynamic-uid/
	init_list_pids(system_dbusd_t)
	init_read_runtime_symlinks(system_dbusd_t)
')

optional_policy(`
	# for /run/systemd/users/*
	systemd_read_logind_pids(system_dbusd_t)
	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
')

optional_policy(`
	bluetooth_stream_connect(system_dbusd_t)
')

optional_policy(`
	consolekit_use_inhibit_lock(system_dbusd_t)
')

optional_policy(`
	policykit_read_lib(system_dbusd_t)
')

optional_policy(`
	seutil_sigchld_newrole(system_dbusd_t)
')

optional_policy(`
	udev_read_db(system_dbusd_t)
')

optional_policy(`
	unconfined_dbus_send(system_dbusd_t)
')

optional_policy(`
	xserver_read_xdm_lib_files(system_dbusd_t)
	xserver_use_xdm_fds(system_dbusd_t)
')

########################################
#
# Common session bus local policy
#

dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
dontaudit session_bus_type self:process { ptrace setrlimit };
allow session_bus_type self:file { getattr read write };
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
allow session_bus_type self:unix_stream_socket { accept listen };
allow session_bus_type self:tcp_socket { accept listen };
allow session_bus_type self:netlink_selinux_socket create_socket_perms;

allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)

manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")

manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })

manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })

kernel_read_crypto_sysctls(session_bus_type)
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)

corecmd_list_bin(session_bus_type)
corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)

corenet_all_recvfrom_unlabeled(session_bus_type)
corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_sendrecv_all_ports(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)

corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)

dev_read_urand(session_bus_type)

domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)

files_list_home(session_bus_type)
files_read_usr_files(session_bus_type)
files_dontaudit_search_var(session_bus_type)

fs_getattr_romfs(session_bus_type)
fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)

selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
selinux_compute_relabel_context(session_bus_type)
selinux_compute_user_contexts(session_bus_type)

auth_read_pam_console_data(session_bus_type)

logging_send_audit_msgs(session_bus_type)
logging_send_syslog_msg(session_bus_type)

miscfiles_read_localization(session_bus_type)

seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)

term_use_all_terms(session_bus_type)

optional_policy(`
	xserver_rw_xsession_log(session_bus_type)
	xserver_use_xdm_fds(session_bus_type)
	xserver_rw_xdm_pipes(session_bus_type)
')

########################################
#
# Unconfined access to this module
#

allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-06-09 18:05:19 +00:00			`policy_module(dbus, 1.27.0)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			gen_require(`
			`class dbus all_dbus_perms;`
			`')`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute dbusd_unconfined;`
			`attribute session_bus_type;`

			`attribute dbusd_system_bus_client;`
			`attribute dbusd_session_bus_client;`

			`type dbusd_etc_t;`
			`files_config_file(dbusd_etc_t)`

			`type dbusd_exec_t;`
			`corecmd_executable_file(dbusd_exec_t)`
			`typealias dbusd_exec_t alias system_dbusd_exec_t;`

			`type dbusd_unit_t;`
			`init_unit_file(dbusd_unit_t)`

			`type session_dbusd_home_t;`
			`userdom_user_home_content(session_dbusd_home_t)`

			`type session_dbusd_tmp_t;`
			`typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };`
			`typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };`
			`userdom_user_tmp_file(session_dbusd_tmp_t)`

			`type system_dbusd_t;`
			`init_system_domain(system_dbusd_t, dbusd_exec_t)`
Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-08 20:55:02 +00:00			`init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`type system_dbusd_tmp_t;`
			`files_tmp_file(system_dbusd_tmp_t)`

			`type system_dbusd_var_lib_t;`
			`files_type(system_dbusd_var_lib_t)`

Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-08 20:55:02 +00:00			`type system_dbusd_runtime_t alias system_dbusd_var_run_t;`
			`files_pid_file(system_dbusd_runtime_t)`
			`init_daemon_pid_file(system_dbusd_runtime_t, dir, "dbus")`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`type session_dbusd_runtime_t;`
			`files_pid_file(session_dbusd_runtime_t)`
			`userdom_user_runtime_content(session_dbusd_runtime_t)`

			ifdef(`enable_mcs',`
			`init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)`
			`')`

			ifdef(`enable_mls',`
			`init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)`
			`')`

			`########################################`
			`#`
			`# Local policy`
			`#`

			`allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };`
			`dontaudit system_dbusd_t self:capability sys_tty_config;`
			`allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };`
			`allow system_dbusd_t self:fifo_file rw_fifo_file_perms;`
			`allow system_dbusd_t self:dbus { send_msg acquire_svc };`
			`allow system_dbusd_t self:unix_stream_socket { accept connectto listen };`
			`allow system_dbusd_t self:netlink_selinux_socket { create bind read };`

			`allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;`
			`read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)`
			`read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)`

			`manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)`
			`manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)`
			`files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })`

			`read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)`

Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-08 20:55:02 +00:00			`manage_dirs_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)`
			`manage_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)`
			`manage_sock_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)`
			`files_pid_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`can_exec(system_dbusd_t, dbusd_exec_t)`

Allow dbus to access /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2018-12-08 18:45:46 +00:00			`kernel_read_crypto_sysctls(system_dbusd_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`kernel_read_system_state(system_dbusd_t)`
			`kernel_read_kernel_sysctls(system_dbusd_t)`

			`corecmd_list_bin(system_dbusd_t)`
			`corecmd_read_bin_pipes(system_dbusd_t)`
			`corecmd_read_bin_sockets(system_dbusd_t)`
			`corecmd_exec_shell(system_dbusd_t)`

			`dev_read_urand(system_dbusd_t)`
			`dev_read_sysfs(system_dbusd_t)`

			`domain_use_interactive_fds(system_dbusd_t)`
			`domain_read_all_domains_state(system_dbusd_t)`

			`files_list_home(system_dbusd_t)`
			`files_read_usr_files(system_dbusd_t)`

			`fs_getattr_all_fs(system_dbusd_t)`
			`fs_list_inotifyfs(system_dbusd_t)`
			`fs_search_auto_mountpoints(system_dbusd_t)`
			`fs_search_cgroup_dirs(system_dbusd_t)`
			`fs_dontaudit_list_nfs(system_dbusd_t)`

			`mls_fd_use_all_levels(system_dbusd_t)`
			`mls_rangetrans_target(system_dbusd_t)`
			`mls_file_read_all_levels(system_dbusd_t)`
			`mls_socket_write_all_levels(system_dbusd_t)`
			`mls_socket_read_to_clearance(system_dbusd_t)`
			`mls_dbus_recv_all_levels(system_dbusd_t)`

			`selinux_get_fs_mount(system_dbusd_t)`
			`selinux_validate_context(system_dbusd_t)`
			`selinux_compute_access_vector(system_dbusd_t)`
			`selinux_compute_create_context(system_dbusd_t)`
			`selinux_compute_relabel_context(system_dbusd_t)`
			`selinux_compute_user_contexts(system_dbusd_t)`

			`term_dontaudit_use_console(system_dbusd_t)`

			`auth_use_nsswitch(system_dbusd_t)`
			`auth_read_pam_console_data(system_dbusd_t)`

			`init_use_fds(system_dbusd_t)`
			`init_use_script_ptys(system_dbusd_t)`
			`init_all_labeled_script_domtrans(system_dbusd_t)`
			`init_start_system(system_dbusd_t) # needed by dbus-broker`

			`# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*`
			`libs_exec_lib_files(system_dbusd_t)`

			`logging_send_audit_msgs(system_dbusd_t)`
			`logging_send_syslog_msg(system_dbusd_t)`

			`miscfiles_read_localization(system_dbusd_t)`
			`miscfiles_read_generic_certs(system_dbusd_t)`

			`seutil_read_config(system_dbusd_t)`
			`seutil_read_default_contexts(system_dbusd_t)`

			`userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)`
			`userdom_dontaudit_search_user_home_dirs(system_dbusd_t)`
			`# read a file in ~/.local/share`
			`userdom_read_user_home_content_files(system_dbusd_t)`

			ifdef(`init_systemd', `
			`# gdm3 causes system_dbusd_t to want this access`
			`dev_rw_dri(system_dbusd_t)`
			`dev_rw_input_dev(system_dbusd_t)`
dbus: allow using dynamic UID When using a systemd service with dynamic UID, dbus-daemon reads symlinks in /run/systemd/dynamic-uid/: type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800 a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:373): avc: denied { read } for pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1 type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800 a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:374): avc: denied { read } for pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1 This directory looks like this, on Arch Linux with systemd 240: # ls -alZ /run/systemd/dynamic-uid drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./ drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../ -rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306 lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306 2019-01-12 17:31:56 +00:00
			`# for /run/systemd/dynamic-uid/`
			`init_list_pids(system_dbusd_t)`
			`init_read_runtime_symlinks(system_dbusd_t)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`')`

			optional_policy(`
			`# for /run/systemd/users/*`
			`systemd_read_logind_pids(system_dbusd_t)`
			`systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)`
			`systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)`
			`')`

			optional_policy(`
			`bluetooth_stream_connect(system_dbusd_t)`
			`')`

			optional_policy(`
			`consolekit_use_inhibit_lock(system_dbusd_t)`
			`')`

			optional_policy(`
			`policykit_read_lib(system_dbusd_t)`
			`')`

			optional_policy(`
			`seutil_sigchld_newrole(system_dbusd_t)`
			`')`

			optional_policy(`
			`udev_read_db(system_dbusd_t)`
			`')`

			optional_policy(`
			`unconfined_dbus_send(system_dbusd_t)`
			`')`

			optional_policy(`
			`xserver_read_xdm_lib_files(system_dbusd_t)`
			`xserver_use_xdm_fds(system_dbusd_t)`
			`')`

			`########################################`
			`#`
			`# Common session bus local policy`
			`#`

			`dontaudit session_bus_type self:capability sys_resource;`
			`allow session_bus_type self:process { getattr sigkill signal };`
			`dontaudit session_bus_type self:process { ptrace setrlimit };`
			`allow session_bus_type self:file { getattr read write };`
			`allow session_bus_type self:fifo_file rw_fifo_file_perms;`
			`allow session_bus_type self:dbus { send_msg acquire_svc };`
			`allow session_bus_type self:unix_stream_socket { accept listen };`
			`allow session_bus_type self:tcp_socket { accept listen };`
			`allow session_bus_type self:netlink_selinux_socket create_socket_perms;`

			`allow session_bus_type dbusd_etc_t:dir list_dir_perms;`
			`read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)`
			`read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)`

			`manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)`
			`manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)`
			`userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")`

			`manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)`
			`manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)`
			`files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })`

			`manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)`
			`manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)`
			`manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)`
			`userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })`

Allow dbus to access /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2018-12-08 18:45:46 +00:00			`kernel_read_crypto_sysctls(session_bus_type)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`kernel_read_system_state(session_bus_type)`
			`kernel_read_kernel_sysctls(session_bus_type)`

			`corecmd_list_bin(session_bus_type)`
			`corecmd_read_bin_files(session_bus_type)`
			`corecmd_read_bin_pipes(session_bus_type)`
			`corecmd_read_bin_sockets(session_bus_type)`

			`corenet_all_recvfrom_unlabeled(session_bus_type)`
			`corenet_all_recvfrom_netlabel(session_bus_type)`
			`corenet_tcp_sendrecv_generic_if(session_bus_type)`
			`corenet_tcp_sendrecv_generic_node(session_bus_type)`
			`corenet_tcp_sendrecv_all_ports(session_bus_type)`
			`corenet_tcp_bind_generic_node(session_bus_type)`

			`corenet_sendrecv_all_server_packets(session_bus_type)`
			`corenet_tcp_bind_reserved_port(session_bus_type)`

			`dev_read_urand(session_bus_type)`

			`domain_read_all_domains_state(session_bus_type)`
			`domain_use_interactive_fds(session_bus_type)`

			`files_list_home(session_bus_type)`
			`files_read_usr_files(session_bus_type)`
			`files_dontaudit_search_var(session_bus_type)`

			`fs_getattr_romfs(session_bus_type)`
			`fs_getattr_xattr_fs(session_bus_type)`
			`fs_list_inotifyfs(session_bus_type)`
			`fs_dontaudit_list_nfs(session_bus_type)`

			`selinux_get_fs_mount(session_bus_type)`
			`selinux_validate_context(session_bus_type)`
			`selinux_compute_access_vector(session_bus_type)`
			`selinux_compute_create_context(session_bus_type)`
			`selinux_compute_relabel_context(session_bus_type)`
			`selinux_compute_user_contexts(session_bus_type)`

			`auth_read_pam_console_data(session_bus_type)`

			`logging_send_audit_msgs(session_bus_type)`
			`logging_send_syslog_msg(session_bus_type)`

			`miscfiles_read_localization(session_bus_type)`

			`seutil_read_config(session_bus_type)`
			`seutil_read_default_contexts(session_bus_type)`

			`term_use_all_terms(session_bus_type)`

			optional_policy(`
			`xserver_rw_xsession_log(session_bus_type)`
			`xserver_use_xdm_fds(session_bus_type)`
			`xserver_rw_xdm_pipes(session_bus_type)`
			`')`

			`########################################`
			`#`
			`# Unconfined access to this module`
			`#`

			`allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;`
			`allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;`