Fix the dbus module so that temporary session named sockets
can be read and written in the role template and by system and session bus clients. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/dbus.if | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
This commit is contained in:
parent
de026627fe
commit
5ff0aa1b61
@ -104,6 +104,7 @@ template(`dbus_role_template',`
|
||||
allow $3 $1_dbusd_t:process { ptrace signal_perms };
|
||||
|
||||
allow $1_dbusd_t $3:process sigkill;
|
||||
allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
|
||||
|
||||
corecmd_bin_domtrans($1_dbusd_t, $3)
|
||||
corecmd_shell_domtrans($1_dbusd_t, $3)
|
||||
@ -150,6 +151,7 @@ interface(`dbus_system_bus_client',`
|
||||
dbus_read_config($1)
|
||||
dbus_list_system_bus_runtime($1)
|
||||
dbus_read_system_bus_runtime_named_sockets($1)
|
||||
dbus_rw_session_tmp_sockets($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -222,6 +224,8 @@ interface(`dbus_all_session_bus_client',`
|
||||
|
||||
allow $1 session_bus_type:unix_stream_socket connectto;
|
||||
allow $1 session_bus_type:fd use;
|
||||
|
||||
dbus_rw_session_tmp_sockets($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -729,6 +733,24 @@ interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
|
||||
dontaudit $1 system_dbusd_runtime_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write session named sockets in the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dbus_rw_session_tmp_sockets',`
|
||||
gen_require(`
|
||||
type session_dbusd_tmp_t;
|
||||
')
|
||||
|
||||
rw_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to DBUS.
|
||||
|
Loading…
Reference in New Issue
Block a user