nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1cbe455a5e
selinux-refpolicy/policy/modules/services/dbus.if
Dave Sugar 58e4c9a36f dbus changes 
dbus needs to map security_t files
private type ($1_dbus_tmpfs_t) for file created on tmpfs

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied)
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152
Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc:  denied  { map } for  pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'.

node=localhost type=AVC msg=audit(1703095496.614:486): avc:  denied  { write } for  pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { map } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { read } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7369): avc:  denied  { write } for  pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { map } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { read } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7632): avc:  denied  { write } for  pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { map } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { read } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-01-02 15:18:55 -05:00

788 lines
16 KiB
Plaintext
Raw Blame History

## <summary>Desktop messaging bus.</summary>
########################################
## <summary>
## DBUS stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`dbus_stub',`
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
')
########################################
## <summary>
## Execute dbus in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_exec',`
gen_require(`
type dbusd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dbusd_exec_t)
')
########################################
## <summary>
## Role access for dbus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
attribute session_bus_type;
type system_dbusd_t, dbusd_exec_t;
type session_dbusd_tmp_t, session_dbusd_home_t;
type session_dbusd_runtime_t;
')
##############################
#
# Declarations
#
type $1_dbusd_t, session_bus_type;
domain_type($1_dbusd_t)
domain_entry_file($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
type $1_dbusd_tmpfs_t;
files_tmpfs_file($1_dbusd_tmpfs_t)
role $2 types $1_dbusd_t;
##############################
#
# Local policy
#
allow $3 $1_dbusd_t:unix_stream_socket { create_stream_socket_perms connectto };
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 $1_dbusd_t:fd use;
dontaudit $1_dbusd_t self:process getcap;
dontaudit $1_dbusd_t self:cap_userns sys_ptrace;
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process { ptrace signal_perms };
allow $1_dbusd_t $3:process sigkill;
allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
allow $1_dbusd_t self:unix_stream_socket connectto;
allow $1_dbusd_t $1_dbusd_tmpfs_t:file mmap_rw_inherited_file_perms;
files_read_etc_runtime_files($1_dbusd_t)
fs_tmpfs_filetrans($1_dbusd_t, $1_dbusd_tmpfs_t, file)
kernel_getattr_proc($1_dbusd_t)
corecmd_bin_domtrans($1_dbusd_t, $3)
corecmd_shell_domtrans($1_dbusd_t, $3)
selinux_use_status_page($1_dbusd_t)
auth_use_nsswitch($1_dbusd_t)
dbus_exec($1_dbusd_t)
optional_policy(`
systemd_read_logind_runtime_files($1_dbusd_t)
systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
systemd_user_send_systemd_notify($1, $1_dbusd_t)
systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
')
')
#######################################
## <summary>
## Template for creating connections to
## the system bus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_system_bus_client',`
gen_require(`
attribute dbusd_system_bus_client;
type system_dbusd_t, system_dbusd_runtime_t, system_dbusd_var_lib_t;
class dbus send_msg;
')
typeattribute $1 dbusd_system_bus_client;
allow $1 { system_dbusd_t self }:dbus send_msg;
allow system_dbusd_t $1:dbus send_msg;
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_runtime($1)
stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t)
dbus_read_config($1)
dbus_list_system_bus_runtime($1)
dbus_read_system_bus_runtime_named_sockets($1)
dbus_rw_session_tmp_sockets($1)
')
#######################################
## <summary>
## Acquire service on all DBUS
## session busses.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_connect_all_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus acquire_svc;
')
allow $1 session_bus_type:dbus acquire_svc;
')
#######################################
## <summary>
## Acquire service on specified
## DBUS session bus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`dbus_connect_spec_session_bus',`
gen_require(`
type $1_dbusd_t;
class dbus acquire_svc;
')
allow $2 $1_dbusd_t:dbus acquire_svc;
')
#######################################
## <summary>
## Creating connections to all
## DBUS session busses.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_all_session_bus_client',`
gen_require(`
attribute session_bus_type, dbusd_session_bus_client;
class dbus send_msg;
')
typeattribute $1 dbusd_session_bus_client;
allow $1 { session_bus_type self }:dbus send_msg;
allow session_bus_type $1:dbus send_msg;
allow $1 session_bus_type:unix_stream_socket connectto;
allow $1 session_bus_type:fd use;
dbus_rw_session_tmp_sockets($1)
')
#######################################
## <summary>
## Creating connections to specified
## DBUS session bus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`dbus_spec_session_bus_client',`
gen_require(`
attribute dbusd_session_bus_client;
type $1_dbusd_t;
class dbus send_msg;
')
typeattribute $2 dbusd_session_bus_client;
allow $2 { $1_dbusd_t self }:dbus send_msg;
allow $1_dbusd_t $2:dbus send_msg;
allow $2 $1_dbusd_t:unix_stream_socket connectto;
allow $2 $1_dbusd_t:fd use;
')
#######################################
## <summary>
## Send messages to all DBUS
## session busses.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_send_all_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
allow $1 session_bus_type:dbus send_msg;
')
#######################################
## <summary>
## Send messages to specified
## DBUS session busses.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`dbus_send_spec_session_bus',`
gen_require(`
type $1_dbusd_t;
class dbus send_msg;
')
allow $2 $1_dbusd_t:dbus send_msg;
')
#######################################
## <summary>
## Allow the specified domain to get the
## attributes of the session dbus sock file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_getattr_session_runtime_socket',`
gen_require(`
type session_dbusd_runtime_t;
')
allow $1 session_dbusd_runtime_t:sock_file getattr;
')
#######################################
## <summary>
## Allow the specified domain to write to
## the session dbus sock file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_write_session_runtime_socket',`
gen_require(`
type session_dbusd_runtime_t;
')
allow $1 session_dbusd_runtime_t:sock_file write;
')
########################################
## <summary>
## Read dbus configuration content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_config',`
gen_require(`
type dbusd_etc_t;
')
allow $1 dbusd_etc_t:dir list_dir_perms;
allow $1 dbusd_etc_t:file read_file_perms;
')
########################################
## <summary>
## Read system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Relabel system dbus lib directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_relabel_lib_dirs',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
allow $1 system_dbusd_var_lib_t:dir relabel_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_manage_lib_files',`
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
########################################
## <summary>
## Allow a application domain to be
## started by the specified session bus.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an
## entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_all_session_domain',`
gen_require(`
attribute session_bus_type;
')
domtrans_pattern(session_bus_type, $2, $1)
dbus_all_session_bus_client($1)
dbus_connect_all_session_bus($1)
')
########################################
## <summary>
## Allow a application domain to be
## started by the specified session bus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an
## entry point to this domain.
## </summary>
## </param>
#
template(`dbus_spec_session_domain',`
gen_require(`
type $1_dbusd_t;
')
domtrans_pattern($1_dbusd_t, $3, $2)
dbus_spec_session_bus_client($1, $2)
dbus_connect_spec_session_bus($1, $2)
')
########################################
## <summary>
## Acquire service on the DBUS system bus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_connect_system_bus',`
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
')
########################################
## <summary>
## Send messages to the DBUS system bus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_send_system_bus',`
gen_require(`
type system_dbusd_t;
class dbus send_msg;
')
allow $1 system_dbusd_t:dbus send_msg;
')
########################################
## <summary>
## Unconfined access to DBUS system bus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_system_bus_unconfined',`
gen_require(`
type system_dbusd_t;
class dbus { acquire_svc send_msg };
')
allow $1 system_dbusd_t:dbus { acquire_svc send_msg };
')
########################################
## <summary>
## Create a domain for processes which
## can be started by the DBUS system bus.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_system_domain',`
gen_require(`
type system_dbusd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
domtrans_pattern(system_dbusd_t, $2, $1)
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
ps_process_pattern(system_dbusd_t, $1)
userdom_read_all_users_state($1)
ifdef(`init_systemd',`
init_daemon_domain($1, $2)
')
')
########################################
## <summary>
## Use and inherit DBUS system bus
## file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_use_system_bus_fds',`
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to read and
## write DBUS system bus TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
gen_require(`
type system_dbusd_t;
')
dontaudit $1 system_dbusd_t:tcp_socket { read write };
')
########################################
## <summary>
## Watch system bus runtime directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_watch_system_bus_runtime_dirs',`
gen_require(`
type system_dbusd_runtime_t;
')
allow $1 system_dbusd_runtime_t:dir watch;
')
########################################
## <summary>
## Read system bus runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_system_bus_runtime_files',`
gen_require(`
type system_dbusd_runtime_t;
')
allow $1 system_dbusd_runtime_t:file read;
')
########################################
## <summary>
## List system bus runtime directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_list_system_bus_runtime',`
gen_require(`
type system_dbusd_runtime_t;
')
allow $1 system_dbusd_runtime_t:dir list_dir_perms;
')
########################################
## <summary>
## Watch system bus runtime named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_watch_system_bus_runtime_named_sockets',`
gen_require(`
type system_dbusd_runtime_t;
')
allow $1 system_dbusd_runtime_t:sock_file watch;
')
########################################
## <summary>
## Read system bus runtime named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_read_system_bus_runtime_named_sockets',`
gen_require(`
type system_dbusd_runtime_t;
')
allow $1 system_dbusd_runtime_t:sock_file read;
')
#######################################
## <summary>
## Do not audit attempts to write to
## system bus runtime named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
gen_require(`
type system_dbusd_runtime_t;
')
dontaudit $1 system_dbusd_runtime_t:sock_file write;
')
########################################
## <summary>
## Read and write session named sockets in the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_rw_session_tmp_sockets',`
gen_require(`
type session_dbusd_tmp_t;
')
rw_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
########################################
## <summary>
## Unconfined access to DBUS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_unconfined',`
gen_require(`
attribute dbusd_unconfined;
')
typeattribute $1 dbusd_unconfined;
')
Reference in New Issue View Git Blame Copy Permalink