Fix the dbus module so that temporary session named sockets

can be read and written in the role template and by system and session bus clients. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/dbus.if | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
2023-08-30 16:13:18 +02:00 · 2023-08-30 16:13:18 +02:00 · 5ff0aa1b61
commit 5ff0aa1b61
parent de026627fe
1 changed files with 22 additions and 0 deletions
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -104,6 +104,7 @@ template(`dbus_role_template',`
 	allow $3 $1_dbusd_t:process { ptrace signal_perms };
 	allow $1_dbusd_t $3:process sigkill;
 	allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
@ -150,6 +151,7 @@ interface(`dbus_system_bus_client',`
 	dbus_read_config($1)
 	dbus_list_system_bus_runtime($1)
 	dbus_read_system_bus_runtime_named_sockets($1)
 	dbus_rw_session_tmp_sockets($1)
 ')
 #######################################
@ -222,6 +224,8 @@ interface(`dbus_all_session_bus_client',`
 	allow $1 session_bus_type:unix_stream_socket connectto;
 	allow $1 session_bus_type:fd use;
 	dbus_rw_session_tmp_sockets($1)
 ')
 #######################################
@ -729,6 +733,24 @@ interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
 	dontaudit $1 system_dbusd_runtime_t:sock_file write;
 ')
 ########################################
 ## <summary>
 ##	Read and write session named sockets in the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dbus_rw_session_tmp_sockets',`
 	gen_require(`
 		type session_dbusd_tmp_t;
 	')
 	rw_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
 ')
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS.