Fix the dbus module so that temporary session named sockets

can be read and written in the role template and by system
and session bus clients.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.if |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
This commit is contained in:
Guido Trentalancia 2023-08-30 16:13:18 +02:00
parent de026627fe
commit 5ff0aa1b61

View File

@ -104,6 +104,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:process { ptrace signal_perms };
allow $1_dbusd_t $3:process sigkill;
allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
corecmd_bin_domtrans($1_dbusd_t, $3)
corecmd_shell_domtrans($1_dbusd_t, $3)
@ -150,6 +151,7 @@ interface(`dbus_system_bus_client',`
dbus_read_config($1)
dbus_list_system_bus_runtime($1)
dbus_read_system_bus_runtime_named_sockets($1)
dbus_rw_session_tmp_sockets($1)
')
#######################################
@ -222,6 +224,8 @@ interface(`dbus_all_session_bus_client',`
allow $1 session_bus_type:unix_stream_socket connectto;
allow $1 session_bus_type:fd use;
dbus_rw_session_tmp_sockets($1)
')
#######################################
@ -729,6 +733,24 @@ interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
dontaudit $1 system_dbusd_runtime_t:sock_file write;
')
########################################
## <summary>
## Read and write session named sockets in the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_rw_session_tmp_sockets',`
gen_require(`
type session_dbusd_tmp_t;
')
rw_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
########################################
## <summary>
## Unconfined access to DBUS.