## Desktop messaging bus. ######################################## ## ## DBUS stub interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`dbus_stub',` gen_require(` type system_dbusd_t; class dbus all_dbus_perms; ') ') ######################################## ## ## Execute dbus in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_exec',` gen_require(` type dbusd_exec_t; ') corecmd_search_bin($1) can_exec($1, dbusd_exec_t) ') ######################################## ## ## Role access for dbus. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; attribute session_bus_type; type system_dbusd_t, dbusd_exec_t; type session_dbusd_tmp_t, session_dbusd_home_t; type session_dbusd_runtime_t; ') ############################## # # Declarations # type $1_dbusd_t, session_bus_type; domain_type($1_dbusd_t) domain_entry_file($1_dbusd_t, dbusd_exec_t) ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; ############################## # # Local policy # allow $3 $1_dbusd_t:unix_stream_socket connectto; allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 $1_dbusd_t:fd use; dontaudit $1_dbusd_t self:process getcap; dontaudit $1_dbusd_t self:cap_userns sys_ptrace; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) ps_process_pattern($3, $1_dbusd_t) allow $3 $1_dbusd_t:process { ptrace signal_perms }; allow $1_dbusd_t $3:process sigkill; corecmd_bin_domtrans($1_dbusd_t, $3) corecmd_shell_domtrans($1_dbusd_t, $3) auth_use_nsswitch($1_dbusd_t) ifdef(`hide_broken_symptoms',` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') optional_policy(` systemd_read_logind_runtime_files($1_dbusd_t) systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t) systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t) ') ') ####################################### ## ## Template for creating connections to ## the system bus. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_system_bus_client',` gen_require(` attribute dbusd_system_bus_client; type system_dbusd_t, system_dbusd_runtime_t, system_dbusd_var_lib_t; class dbus send_msg; ') typeattribute $1 dbusd_system_bus_client; allow $1 { system_dbusd_t self }:dbus send_msg; allow system_dbusd_t $1:dbus send_msg; files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_runtime($1) stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t) dbus_read_config($1) dbus_list_system_bus_runtime($1) dbus_read_system_bus_runtime_named_sockets($1) ') ####################################### ## ## Acquire service on all DBUS ## session busses. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_connect_all_session_bus',` gen_require(` attribute session_bus_type; class dbus acquire_svc; ') allow $1 session_bus_type:dbus acquire_svc; ') ####################################### ## ## Acquire service on specified ## DBUS session bus. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Domain allowed access. ## ## # template(`dbus_connect_spec_session_bus',` gen_require(` type $1_dbusd_t; class dbus acquire_svc; ') allow $2 $1_dbusd_t:dbus acquire_svc; ') ####################################### ## ## Creating connections to all ## DBUS session busses. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_all_session_bus_client',` gen_require(` attribute session_bus_type, dbusd_session_bus_client; class dbus send_msg; ') typeattribute $1 dbusd_session_bus_client; allow $1 { session_bus_type self }:dbus send_msg; allow session_bus_type $1:dbus send_msg; allow $1 session_bus_type:unix_stream_socket connectto; allow $1 session_bus_type:fd use; ') ####################################### ## ## Creating connections to specified ## DBUS session bus. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Domain allowed access. ## ## # template(`dbus_spec_session_bus_client',` gen_require(` attribute dbusd_session_bus_client; type $1_dbusd_t; class dbus send_msg; ') typeattribute $2 dbusd_session_bus_client; allow $2 { $1_dbusd_t self }:dbus send_msg; allow $1_dbusd_t $2:dbus send_msg; allow $2 $1_dbusd_t:unix_stream_socket connectto; allow $2 $1_dbusd_t:fd use; ') ####################################### ## ## Send messages to all DBUS ## session busses. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_send_all_session_bus',` gen_require(` attribute session_bus_type; class dbus send_msg; ') allow $1 session_bus_type:dbus send_msg; ') ####################################### ## ## Send messages to specified ## DBUS session busses. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Domain allowed access. ## ## # template(`dbus_send_spec_session_bus',` gen_require(` type $1_dbusd_t; class dbus send_msg; ') allow $2 $1_dbusd_t:dbus send_msg; ') ####################################### ## ## Allow the specified domain to get the ## attributes of the session dbus sock file. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_getattr_session_runtime_socket',` gen_require(` type session_dbusd_runtime_t; ') allow $1 session_dbusd_runtime_t:sock_file getattr; ') ####################################### ## ## Allow the specified domain to write to ## the session dbus sock file. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_write_session_runtime_socket',` gen_require(` type session_dbusd_runtime_t; ') allow $1 session_dbusd_runtime_t:sock_file write; ') ######################################## ## ## Read dbus configuration content. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_read_config',` gen_require(` type dbusd_etc_t; ') allow $1 dbusd_etc_t:dir list_dir_perms; allow $1 dbusd_etc_t:file read_file_perms; ') ######################################## ## ## Read system dbus lib files. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_read_lib_files',` gen_require(` type system_dbusd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') ######################################## ## ## Relabel system dbus lib directory. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_relabel_lib_dirs',` gen_require(` type system_dbusd_var_lib_t; ') files_search_var_lib($1) allow $1 system_dbusd_var_lib_t:dir relabel_dir_perms; ') ######################################## ## ## Create, read, write, and delete ## system dbus lib files. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_manage_lib_files',` gen_require(` type system_dbusd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') ######################################## ## ## Allow a application domain to be ## started by the specified session bus. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an ## entry point to this domain. ## ## # interface(`dbus_all_session_domain',` gen_require(` attribute session_bus_type; ') domtrans_pattern(session_bus_type, $2, $1) dbus_all_session_bus_client($1) dbus_connect_all_session_bus($1) ') ######################################## ## ## Allow a application domain to be ## started by the specified session bus. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an ## entry point to this domain. ## ## # template(`dbus_spec_session_domain',` gen_require(` type $1_dbusd_t; ') domtrans_pattern($1_dbusd_t, $3, $2) dbus_spec_session_bus_client($1, $2) dbus_connect_spec_session_bus($1, $2) ') ######################################## ## ## Acquire service on the DBUS system bus. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_connect_system_bus',` gen_require(` type system_dbusd_t; class dbus acquire_svc; ') allow $1 system_dbusd_t:dbus acquire_svc; ') ######################################## ## ## Send messages to the DBUS system bus. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_send_system_bus',` gen_require(` type system_dbusd_t; class dbus send_msg; ') allow $1 system_dbusd_t:dbus send_msg; ') ######################################## ## ## Unconfined access to DBUS system bus. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_system_bus_unconfined',` gen_require(` type system_dbusd_t; class dbus { acquire_svc send_msg }; ') allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; ') ######################################## ## ## Create a domain for processes which ## can be started by the DBUS system bus. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # interface(`dbus_system_domain',` gen_require(` type system_dbusd_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(system_dbusd_t, $2, $1) dbus_system_bus_client($1) dbus_connect_system_bus($1) ps_process_pattern(system_dbusd_t, $1) userdom_read_all_users_state($1) ifdef(`init_systemd',` init_daemon_domain($1, $2) ') ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') ######################################## ## ## Use and inherit DBUS system bus ## file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_use_system_bus_fds',` gen_require(` type system_dbusd_t; ') allow $1 system_dbusd_t:fd use; ') ######################################## ## ## Do not audit attempts to read and ## write DBUS system bus TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` gen_require(` type system_dbusd_t; ') dontaudit $1 system_dbusd_t:tcp_socket { read write }; ') ######################################## ## ## Watch system bus runtime directories. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_watch_system_bus_runtime_dirs',` gen_require(` type system_dbusd_runtime_t; ') allow $1 system_dbusd_runtime_t:dir watch; ') ######################################## ## ## List system bus runtime directories. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_list_system_bus_runtime',` gen_require(` type system_dbusd_runtime_t; ') allow $1 system_dbusd_runtime_t:dir list_dir_perms; ') ######################################## ## ## Watch system bus runtime named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_watch_system_bus_runtime_named_sockets',` gen_require(` type system_dbusd_runtime_t; ') allow $1 system_dbusd_runtime_t:sock_file watch; ') ######################################## ## ## Read system bus runtime named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_read_system_bus_runtime_named_sockets',` gen_require(` type system_dbusd_runtime_t; ') allow $1 system_dbusd_runtime_t:sock_file read; ') ######################################## ## ## Unconfined access to DBUS. ## ## ## ## Domain allowed access. ## ## # interface(`dbus_unconfined',` gen_require(` attribute dbusd_unconfined; ') typeattribute $1 dbusd_unconfined; ')