diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 7998aa2f6..4c15864cf 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -95,6 +95,7 @@ optional_policy(`authlogin.te',` optional_policy(`dbus.te',` dbus_system_bus_client_template(updfstab,updfstab_t) + dbus_send_system_bus_msg(updfstab_t) ') optional_policy(`modutils.te',` @@ -114,7 +115,3 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te',` udev_read_db(updfstab_t) ') - -ifdef(`TODO',` -allow updfstab_t system_dbusd_t:dbus { send_msg }; -') dnl end TODO diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index efe31f0f0..4003f020a 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -35,6 +35,8 @@ template(`dbus_per_userdomain_template',` domain_type($1_dbusd_t) role $3 types $1_dbusd_t; + type $1_dbusd_$1_t; + type $1_dbusd_tmp_t; files_tmp_file($1_dbusd_tmp_t) @@ -47,9 +49,19 @@ template(`dbus_per_userdomain_template',` allow $1_dbusd_t self:dbus { send_msg acquire_svc }; allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; + allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; # Receive notifications of policy reloads and enforcing status changes. allow $1_dbusd_t self:netlink_selinux_socket { create bind read }; + # For connecting to the bus + allow $2 $1_dbusd_t:unix_stream_socket connectto; + type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; + + # SE-DBus specific permissions + allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms; allow $1_dbusd_t dbusd_etc_t:file r_file_perms; allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read }; @@ -69,6 +81,14 @@ template(`dbus_per_userdomain_template',` kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctl($1_dbusd_t) + corenet_tcp_sendrecv_all_if($1_dbusd_t) + corenet_raw_sendrecv_all_if($1_dbusd_t) + corenet_tcp_sendrecv_all_nodes($1_dbusd_t) + corenet_raw_sendrecv_all_nodes($1_dbusd_t) + corenet_tcp_sendrecv_all_ports($1_dbusd_t) + corenet_tcp_bind_all_nodes($1_dbusd_t) + corenet_tcp_bind_reserved_port($1_dbusd_t) + dev_read_urand($1_dbusd_t) selinux_get_fs_mount($1_dbusd_t) @@ -104,6 +124,8 @@ template(`dbus_per_userdomain_template',` seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) + sysnet_read_config($1_dbusd_t) + tunable_policy(`read_default_t',` files_list_default($1_dbusd_t) files_read_default_files($1_dbusd_t) @@ -135,6 +157,14 @@ template(`dbus_per_userdomain_template',` ## # template(`dbus_system_bus_client_template',` + gen_require(` + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t; + class dir search; + class sock_file write; + class unix_stream_socket connectto; + class dbus send_msg; + ') type $1_dbusd_system_t; type_change $2 system_dbusd_t:dbus $1_dbusd_system_t; @@ -148,3 +178,20 @@ template(`dbus_system_bus_client_template',` allow $2 system_dbusd_var_run_t:sock_file write; allow $2 system_dbusd_t:unix_stream_socket connectto; ') + +######################################## +## +## Send a message on the system DBUS. +## +## +## Domain allowed access. +## +# +interface(`dbus_send_system_bus_msg',` + gen_require(` + type system_dbusd_t; + class dbus send_msg; + ') + + allow $1 system_dbusd_t:dbus send_msg; +') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 9015581dd..bd1a46718 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -349,12 +349,6 @@ template(`base_user_template',` # Grant permissions to access the system DBus ifdef(`dbusd.te', ` - can_network_server_tcp($1_dbusd_t) - allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; - - allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; - dbusd_client($1, $1) - allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; ifdef(`hald.te', ` allow $1_t hald_t:dbus send_msg; allow hald_t $1_t:dbus send_msg;