diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 7998aa2f6..4c15864cf 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -95,6 +95,7 @@ optional_policy(`authlogin.te',`
optional_policy(`dbus.te',`
dbus_system_bus_client_template(updfstab,updfstab_t)
+ dbus_send_system_bus_msg(updfstab_t)
')
optional_policy(`modutils.te',`
@@ -114,7 +115,3 @@ optional_policy(`selinuxutil.te',`
optional_policy(`udev.te',`
udev_read_db(updfstab_t)
')
-
-ifdef(`TODO',`
-allow updfstab_t system_dbusd_t:dbus { send_msg };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index efe31f0f0..4003f020a 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -35,6 +35,8 @@ template(`dbus_per_userdomain_template',`
domain_type($1_dbusd_t)
role $3 types $1_dbusd_t;
+ type $1_dbusd_$1_t;
+
type $1_dbusd_tmp_t;
files_tmp_file($1_dbusd_tmp_t)
@@ -47,9 +49,19 @@ template(`dbus_per_userdomain_template',`
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
+ # For connecting to the bus
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+
+ # SE-DBus specific permissions
+ allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+
allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
@@ -69,6 +81,14 @@ template(`dbus_per_userdomain_template',`
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctl($1_dbusd_t)
+ corenet_tcp_sendrecv_all_if($1_dbusd_t)
+ corenet_raw_sendrecv_all_if($1_dbusd_t)
+ corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
+ corenet_raw_sendrecv_all_nodes($1_dbusd_t)
+ corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+ corenet_tcp_bind_all_nodes($1_dbusd_t)
+ corenet_tcp_bind_reserved_port($1_dbusd_t)
+
dev_read_urand($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
@@ -104,6 +124,8 @@ template(`dbus_per_userdomain_template',`
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ sysnet_read_config($1_dbusd_t)
+
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
@@ -135,6 +157,14 @@ template(`dbus_per_userdomain_template',`
##
#
template(`dbus_system_bus_client_template',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t;
+ class dir search;
+ class sock_file write;
+ class unix_stream_socket connectto;
+ class dbus send_msg;
+ ')
type $1_dbusd_system_t;
type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
@@ -148,3 +178,20 @@ template(`dbus_system_bus_client_template',`
allow $2 system_dbusd_var_run_t:sock_file write;
allow $2 system_dbusd_t:unix_stream_socket connectto;
')
+
+########################################
+##
+## Send a message on the system DBUS.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dbus_send_system_bus_msg',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 system_dbusd_t:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9015581dd..bd1a46718 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -349,12 +349,6 @@ template(`base_user_template',`
# Grant permissions to access the system DBus
ifdef(`dbusd.te', `
- can_network_server_tcp($1_dbusd_t)
- allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
- dbusd_client($1, $1)
- allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
ifdef(`hald.te', `
allow $1_t hald_t:dbus send_msg;
allow hald_t $1_t:dbus send_msg;