selinux-refpolicy/policy/modules/services/dbus.te

302 lines
9.4 KiB
Plaintext
Raw Normal View History

policy_module(dbus, 1.27.5)
gen_require(`
class dbus all_dbus_perms;
')
########################################
#
# Declarations
#
attribute dbusd_unconfined;
attribute session_bus_type;
attribute dbusd_system_bus_client;
attribute dbusd_session_bus_client;
type dbusd_etc_t;
files_config_file(dbusd_etc_t)
type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
type dbusd_unit_t;
init_unit_file(dbusd_unit_t)
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
type session_dbusd_runtime_t;
files_pid_file(session_dbusd_runtime_t)
userdom_user_runtime_content(session_dbusd_runtime_t)
type session_dbusd_tmp_t;
userdom_user_tmp_file(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t)
type system_dbusd_runtime_t alias system_dbusd_var_run_t;
files_pid_file(system_dbusd_runtime_t)
init_daemon_pid_file(system_dbusd_runtime_t, dir, "dbus")
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
files_type(system_dbusd_var_lib_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
########################################
#
# Local policy
#
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
allow system_dbusd_t dbusd_etc_t:dir { list_dir_perms watch };
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
files_pid_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })
can_exec(system_dbusd_t, dbusd_exec_t)
Allow dbus to access /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-08 18:45:46 +00:00
kernel_read_crypto_sysctls(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
corecmd_exec_shell(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
files_list_home(system_dbusd_t)
files_read_usr_files(system_dbusd_t)
files_watch_usr_dirs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
mls_socket_write_all_levels(system_dbusd_t)
mls_socket_read_to_clearance(system_dbusd_t)
mls_dbus_recv_all_levels(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
selinux_compute_access_vector(system_dbusd_t)
selinux_compute_create_context(system_dbusd_t)
selinux_compute_relabel_context(system_dbusd_t)
selinux_compute_user_contexts(system_dbusd_t)
term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
init_start_system(system_dbusd_t) # needed by dbus-broker
# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
libs_exec_lib_files(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
# read a file in ~/.local/share
userdom_read_user_home_content_files(system_dbusd_t)
ifdef(`init_systemd', `
# gdm3 causes system_dbusd_t to want this access
dev_rw_dri(system_dbusd_t)
dev_rw_input_dev(system_dbusd_t)
dbus: allow using dynamic UID When using a systemd service with dynamic UID, dbus-daemon reads symlinks in /run/systemd/dynamic-uid/: type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800 a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:373): avc: denied { read } for pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1 type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800 a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:374): avc: denied { read } for pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1 This directory looks like this, on Arch Linux with systemd 240: # ls -alZ /run/systemd/dynamic-uid drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./ drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../ -rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306 lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306
2019-01-12 17:31:56 +00:00
# for /run/systemd/dynamic-uid/
init_list_pids(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t)
# Recent versions of dbus are started as Type=notify
init_write_runtime_socket(system_dbusd_t)
')
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
')
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
optional_policy(`
consolekit_use_inhibit_lock(system_dbusd_t)
')
optional_policy(`
policykit_read_lib(system_dbusd_t)
')
optional_policy(`
seutil_sigchld_newrole(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
optional_policy(`
unconfined_dbus_send(system_dbusd_t)
')
optional_policy(`
xserver_read_xdm_lib_files(system_dbusd_t)
xserver_use_xdm_fds(system_dbusd_t)
')
########################################
#
# Common session bus local policy
#
dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
dontaudit session_bus_type self:process { ptrace setrlimit };
allow session_bus_type self:file { getattr read write };
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
allow session_bus_type self:unix_stream_socket { accept listen };
allow session_bus_type self:tcp_socket { accept listen };
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
allow session_bus_type dbusd_etc_t:dir watch;
manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
Allow dbus to access /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-08 18:45:46 +00:00
kernel_read_crypto_sysctls(session_bus_type)
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
corenet_all_recvfrom_unlabeled(session_bus_type)
corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)
corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)
dev_read_urand(session_bus_type)
domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)
files_list_home(session_bus_type)
files_read_usr_files(session_bus_type)
files_watch_usr_dirs(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
selinux_compute_relabel_context(session_bus_type)
selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
logging_send_syslog_msg(session_bus_type)
miscfiles_read_localization(session_bus_type)
seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)
term_use_all_terms(session_bus_type)
optional_policy(`
xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
########################################
#
# Unconfined access to this module
#
allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;