From da9382afbd11e3f334510270b5a760f0f529c1fc Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 30 Nov 2021 12:03:16 -0500
Subject: [PATCH] dbus, policykit: add tunables for dbus-broker access

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/dbus.te      | 44 ++++++++++++++++
 policy/modules/services/policykit.if | 76 ++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index a3340ed95..c39898818 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -18,6 +18,23 @@ gen_require(`
 ## </desc>
 gen_tunable(dbus_pass_tuntap_fd, false)
 
+## <desc>
+## <p>
+## Allow dbus-daemon system bus to to run systemd transient
+## units. This is used by dbus-broker for dbus-activated
+## services when the unit file for the service does not exist.
+## </p>
+## </desc>
+gen_tunable(dbus_broker_run_transient_units, false)
+
+## <desc>
+## <p>
+## Enable additional rules to support using dbus-broker
+## as the dbus-daemon system bus.
+## </p>
+## </desc>
+gen_tunable(dbus_broker_system_bus, false)
+
 attribute dbusd_unconfined;
 attribute session_bus_type;
 
@@ -181,12 +198,39 @@ ifdef(`init_systemd', `
 
 	# Recent versions of dbus are started as Type=notify
 	init_write_runtime_socket(system_dbusd_t)
+
+	tunable_policy(`dbus_broker_system_bus',`
+		init_get_system_status(system_dbusd_t)
+	')
 ')
 
 tunable_policy(`dbus_pass_tuntap_fd',`
         corenet_rw_tun_tap_dev(system_dbusd_t)
 ')
 
+tunable_policy(`dbus_broker_run_transient_units',`
+	init_start_transient_units(system_dbusd_t)
+	init_stop_transient_units(system_dbusd_t)
+')
+
+# the below duplicated tunable blocks are due to
+# optionals within tunables not being supported
+optional_policy(`
+	tunable_policy(`dbus_broker_system_bus',`
+		policykit_get_unit_status(system_dbusd_t)
+		policykit_start_unit(system_dbusd_t)
+		policykit_stop_unit(system_dbusd_t)
+		policykit_reload_unit(system_dbusd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`dbus_broker_system_bus',`
+		networkmanager_startstop(system_dbusd_t)
+		networkmanager_status(system_dbusd_t)
+	')
+')
+
 optional_policy(`
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(system_dbusd_t)
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
index c036f85b1..1be4ff90f 100644
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
@@ -246,3 +246,79 @@ interface(`policykit_read_lib',`
 	files_search_var_lib($1)
 	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Get the status of the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_get_unit_status',`
+	gen_require(`
+		type policykit_unit_t;
+		class service status;
+	')
+
+	allow $1 policykit_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_start_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service start;
+	')
+
+	allow $1 policykit_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_stop_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service stop;
+	')
+
+	allow $1 policykit_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##	Reload the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_reload_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service reload;
+	')
+
+	allow $1 policykit_unit_t:service reload;
+')