dbus, policykit: add tunables for dbus-broker access

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-30 12:03:16 -05:00 · 2021-11-30 12:03:16 -05:00 · da9382afbd
parent db4b647a29
commit da9382afbd
2 changed files with 120 additions and 0 deletions
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@ -18,6 +18,23 @@ gen_require(`
 ## </desc>
 gen_tunable(dbus_pass_tuntap_fd, false)

+## <desc>
+## <p>
+## Allow dbus-daemon system bus to to run systemd transient
+## units. This is used by dbus-broker for dbus-activated
+## services when the unit file for the service does not exist.
+## </p>
+## </desc>
+gen_tunable(dbus_broker_run_transient_units, false)
+
+## <desc>
+## <p>
+## Enable additional rules to support using dbus-broker
+## as the dbus-daemon system bus.
+## </p>
+## </desc>
+gen_tunable(dbus_broker_system_bus, false)
+
 attribute dbusd_unconfined;
 attribute session_bus_type;

@ -181,12 +198,39 @@ ifdef(`init_systemd', `

 	# Recent versions of dbus are started as Type=notify
 	init_write_runtime_socket(system_dbusd_t)
+
+	tunable_policy(`dbus_broker_system_bus',`
+		init_get_system_status(system_dbusd_t)
+	')
 ')

 tunable_policy(`dbus_pass_tuntap_fd',`
        corenet_rw_tun_tap_dev(system_dbusd_t)
 ')

+tunable_policy(`dbus_broker_run_transient_units',`
+	init_start_transient_units(system_dbusd_t)
+	init_stop_transient_units(system_dbusd_t)
+')
+
+# the below duplicated tunable blocks are due to
+# optionals within tunables not being supported
+optional_policy(`
+	tunable_policy(`dbus_broker_system_bus',`
+		policykit_get_unit_status(system_dbusd_t)
+		policykit_start_unit(system_dbusd_t)
+		policykit_stop_unit(system_dbusd_t)
+		policykit_reload_unit(system_dbusd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`dbus_broker_system_bus',`
+		networkmanager_startstop(system_dbusd_t)
+		networkmanager_status(system_dbusd_t)
+	')
+')
+
 optional_policy(`
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(system_dbusd_t)
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
@ -246,3 +246,79 @@ interface(`policykit_read_lib',`
 	files_search_var_lib($1)
 	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Get the status of the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_get_unit_status',`
+	gen_require(`
+		type policykit_unit_t;
+		class service status;
+	')
+
+	allow $1 policykit_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_start_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service start;
+	')
+
+	allow $1 policykit_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_stop_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service stop;
+	')
+
+	allow $1 policykit_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##	Reload the polkit systemd unit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_reload_unit',`
+	gen_require(`
+		type policykit_unit_t;
+		class service reload;
+	')
+
+	allow $1 policykit_unit_t:service reload;
+')