dbus, policykit: add tunables for dbus-broker access
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
db4b647a29
commit
da9382afbd
|
@ -18,6 +18,23 @@ gen_require(`
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(dbus_pass_tuntap_fd, false)
|
gen_tunable(dbus_pass_tuntap_fd, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow dbus-daemon system bus to to run systemd transient
|
||||||
|
## units. This is used by dbus-broker for dbus-activated
|
||||||
|
## services when the unit file for the service does not exist.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(dbus_broker_run_transient_units, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Enable additional rules to support using dbus-broker
|
||||||
|
## as the dbus-daemon system bus.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(dbus_broker_system_bus, false)
|
||||||
|
|
||||||
attribute dbusd_unconfined;
|
attribute dbusd_unconfined;
|
||||||
attribute session_bus_type;
|
attribute session_bus_type;
|
||||||
|
|
||||||
|
@ -181,12 +198,39 @@ ifdef(`init_systemd', `
|
||||||
|
|
||||||
# Recent versions of dbus are started as Type=notify
|
# Recent versions of dbus are started as Type=notify
|
||||||
init_write_runtime_socket(system_dbusd_t)
|
init_write_runtime_socket(system_dbusd_t)
|
||||||
|
|
||||||
|
tunable_policy(`dbus_broker_system_bus',`
|
||||||
|
init_get_system_status(system_dbusd_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`dbus_pass_tuntap_fd',`
|
tunable_policy(`dbus_pass_tuntap_fd',`
|
||||||
corenet_rw_tun_tap_dev(system_dbusd_t)
|
corenet_rw_tun_tap_dev(system_dbusd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`dbus_broker_run_transient_units',`
|
||||||
|
init_start_transient_units(system_dbusd_t)
|
||||||
|
init_stop_transient_units(system_dbusd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
# the below duplicated tunable blocks are due to
|
||||||
|
# optionals within tunables not being supported
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`dbus_broker_system_bus',`
|
||||||
|
policykit_get_unit_status(system_dbusd_t)
|
||||||
|
policykit_start_unit(system_dbusd_t)
|
||||||
|
policykit_stop_unit(system_dbusd_t)
|
||||||
|
policykit_reload_unit(system_dbusd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`dbus_broker_system_bus',`
|
||||||
|
networkmanager_startstop(system_dbusd_t)
|
||||||
|
networkmanager_status(system_dbusd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# for /run/systemd/users/*
|
# for /run/systemd/users/*
|
||||||
systemd_read_logind_runtime_files(system_dbusd_t)
|
systemd_read_logind_runtime_files(system_dbusd_t)
|
||||||
|
|
|
@ -246,3 +246,79 @@ interface(`policykit_read_lib',`
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the status of the polkit systemd unit.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`policykit_get_unit_status',`
|
||||||
|
gen_require(`
|
||||||
|
type policykit_unit_t;
|
||||||
|
class service status;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 policykit_unit_t:service status;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Start the polkit systemd unit.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`policykit_start_unit',`
|
||||||
|
gen_require(`
|
||||||
|
type policykit_unit_t;
|
||||||
|
class service start;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 policykit_unit_t:service start;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Stop the polkit systemd unit.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`policykit_stop_unit',`
|
||||||
|
gen_require(`
|
||||||
|
type policykit_unit_t;
|
||||||
|
class service stop;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 policykit_unit_t:service stop;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Reload the polkit systemd unit.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`policykit_reload_unit',`
|
||||||
|
gen_require(`
|
||||||
|
type policykit_unit_t;
|
||||||
|
class service reload;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 policykit_unit_t:service reload;
|
||||||
|
')
|
||||||
|
|
Loading…
Reference in New Issue