Make sure we do the polkit check on all dbus interfaces.
Change policy kit to only allow access on the console.
This commit is contained in:
parent
ef102bf81a
commit
e8718ef514
|
@ -11,8 +11,8 @@
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents restorecon access to SELinux</message>
|
<message>System policy prevents restorecon access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>auth_admin_keep</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
|
@ -20,8 +20,8 @@
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents setenforce access to SELinux</message>
|
<message>System policy prevents setenforce access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>auth_admin_keep</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
|
@ -29,8 +29,8 @@
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents semanage access to SELinux</message>
|
<message>System policy prevents semanage access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>auth_admin_keep</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
|
@ -38,8 +38,8 @@
|
||||||
<description>SELinux Read access</description>
|
<description>SELinux Read access</description>
|
||||||
<message>System policy prevents read access to SELinux</message>
|
<message>System policy prevents read access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>yes</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>yes</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>yes</allow_active>
|
<allow_active>yes</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
|
@ -47,8 +47,8 @@
|
||||||
<description>SELinux list modules access</description>
|
<description>SELinux list modules access</description>
|
||||||
<message>System policy prevents read access to SELinux modules</message>
|
<message>System policy prevents read access to SELinux modules</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>yes</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>yes</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>yes</allow_active>
|
<allow_active>yes</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
|
@ -56,25 +56,27 @@
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents relabel_on_boot access to SELinux</message>
|
<message>System policy prevents relabel_on_boot access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>yes</allow_any>
|
<allow_any>no</allow_any>
|
||||||
|
<allow_inactive>no</allow_inactive>
|
||||||
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
<action id="org.selinux.change_default_policy">
|
<action id="org.selinux.change_default_policy">
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
<message>System policy prevents change_default_policy access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>auth_admin_keep</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
<action id="org.selinux.change_policy_type">
|
<action id="org.selinux.change_policy_type">
|
||||||
<description>SELinux write access</description>
|
<description>SELinux write access</description>
|
||||||
<message>System policy prevents change_policy_type access to SELinux</message>
|
<message>System policy prevents change_policy_type access to SELinux</message>
|
||||||
<defaults>
|
<defaults>
|
||||||
<allow_any>auth_admin_keep</allow_any>
|
<allow_any>no</allow_any>
|
||||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
<allow_inactive>no</allow_inactive>
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
<allow_active>auth_admin_keep</allow_active>
|
||||||
</defaults>
|
</defaults>
|
||||||
</action>
|
</action>
|
||||||
</policyconfig>
|
</policyconfig>
|
||||||
|
|
|
@ -47,7 +47,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
# The semodule_list method will return the output of semodule -l, using the customized polkit,
|
# The semodule_list method will return the output of semodule -l, using the customized polkit,
|
||||||
# since this is a readonly behaviour
|
# since this is a readonly behaviour
|
||||||
#
|
#
|
||||||
@slip.dbus.polkit.require_auth("org.selinux.customized")
|
@slip.dbus.polkit.require_auth("org.selinux.semodule_list")
|
||||||
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
||||||
def semodule_list(self):
|
def semodule_list(self):
|
||||||
p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
|
p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
|
||||||
|
@ -60,6 +60,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
#
|
#
|
||||||
# The restorecon method modifies any file path to the default system label
|
# The restorecon method modifies any file path to the default system label
|
||||||
#
|
#
|
||||||
|
@slip.dbus.polkit.require_auth("org.selinux.restorecon")
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
@dbus.service.method("org.selinux", in_signature='s')
|
||||||
def restorecon(self, path):
|
def restorecon(self, path):
|
||||||
selinux.restorecon(str(path), recursive=1)
|
selinux.restorecon(str(path), recursive=1)
|
||||||
|
@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
#
|
#
|
||||||
# The setenforce method turns off the current enforcement of SELinux
|
# The setenforce method turns off the current enforcement of SELinux
|
||||||
#
|
#
|
||||||
|
@slip.dbus.polkit.require_auth("org.selinux.setenforce")
|
||||||
@dbus.service.method("org.selinux", in_signature='i')
|
@dbus.service.method("org.selinux", in_signature='i')
|
||||||
def setenforce(self, value):
|
def setenforce(self, value):
|
||||||
selinux.security_setenforce(value)
|
selinux.security_setenforce(value)
|
||||||
|
@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
#
|
#
|
||||||
# The setenforce method turns off the current enforcement of SELinux
|
# The setenforce method turns off the current enforcement of SELinux
|
||||||
#
|
#
|
||||||
|
@slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
|
||||||
@dbus.service.method("org.selinux", in_signature='i')
|
@dbus.service.method("org.selinux", in_signature='i')
|
||||||
def relabel_on_boot(self, value):
|
def relabel_on_boot(self, value):
|
||||||
if value == 1:
|
if value == 1:
|
||||||
|
@ -103,6 +106,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
#
|
#
|
||||||
# The change_default_enforcement modifies the current enforcement mode
|
# The change_default_enforcement modifies the current enforcement mode
|
||||||
#
|
#
|
||||||
|
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
@dbus.service.method("org.selinux", in_signature='s')
|
||||||
def change_default_mode(self, value):
|
def change_default_mode(self, value):
|
||||||
values = [ "enforcing", "permissive", "disabled" ]
|
values = [ "enforcing", "permissive", "disabled" ]
|
||||||
|
@ -114,6 +118,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
#
|
#
|
||||||
# The change_default_policy method modifies the policy type
|
# The change_default_policy method modifies the policy type
|
||||||
#
|
#
|
||||||
|
@slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
@dbus.service.method("org.selinux", in_signature='s')
|
||||||
def change_default_policy(self, value):
|
def change_default_policy(self, value):
|
||||||
path = selinux.selinux_path() + value
|
path = selinux.selinux_path() + value
|
||||||
|
|
Loading…
Reference in New Issue