nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
242e371ac2
selinux-refpolicy/policy/modules/services/dbus.te
Kenton Groombridge b3e42c3f15 dbus: add supporting interfaces and rules for rootless podman 
Add interfaces to getattr and write to the session dbus socket. Also
dontaudit managing the ptrace capability in user namespaces.

Lastly, allow session dbus daemons to get the attributes of the cgroup
filesystem and the proc filesystem.

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-01-24 11:07:02 -05:00

320 lines
10 KiB
Plaintext
Raw Blame History

policy_module(dbus)
gen_require(`
class dbus all_dbus_perms;
')
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow dbus-daemon system bus to access /dev/net/tun
## which is needed to pass tun/tap device file descriptors
## over D-Bus. This is needed by openvpn3-linux.
## </p>
## </desc>
gen_tunable(dbus_pass_tuntap_fd, false)
attribute dbusd_unconfined;
attribute session_bus_type;
attribute dbusd_system_bus_client;
attribute dbusd_session_bus_client;
type dbusd_etc_t;
files_config_file(dbusd_etc_t)
type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
type dbusd_unit_t;
init_unit_file(dbusd_unit_t)
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
type session_dbusd_runtime_t;
files_runtime_file(session_dbusd_runtime_t)
userdom_user_runtime_content(session_dbusd_runtime_t)
type session_dbusd_tmp_t;
userdom_user_tmp_file(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t)
type system_dbusd_runtime_t alias system_dbusd_var_run_t;
files_runtime_file(system_dbusd_runtime_t)
init_daemon_runtime_file(system_dbusd_runtime_t, dir, "dbus")
init_mountpoint(system_dbusd_runtime_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
files_type(system_dbusd_var_lib_t)
ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
########################################
#
# Local policy
#
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
allow system_dbusd_t dbusd_etc_t:dir { list_dir_perms watch };
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t)
files_runtime_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })
can_exec(system_dbusd_t, dbusd_exec_t)
kernel_read_crypto_sysctls(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
corecmd_exec_shell(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
files_list_home(system_dbusd_t)
files_read_usr_files(system_dbusd_t)
files_watch_usr_dirs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
mls_socket_write_all_levels(system_dbusd_t)
mls_socket_read_to_clearance(system_dbusd_t)
mls_dbus_recv_all_levels(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_use_status_page(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
selinux_compute_access_vector(system_dbusd_t)
selinux_compute_create_context(system_dbusd_t)
selinux_compute_relabel_context(system_dbusd_t)
selinux_compute_user_contexts(system_dbusd_t)
term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
init_start_system(system_dbusd_t) # needed by dbus-broker
# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
libs_exec_lib_files(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
# for machinectl shell
term_use_ptmx(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
# read a file in ~/.local/share
userdom_read_user_home_content_files(system_dbusd_t)
ifdef(`init_systemd', `
# gdm3 causes system_dbusd_t to want this access
dev_rw_dri(system_dbusd_t)
dev_rw_input_dev(system_dbusd_t)
# for /run/systemd/dynamic-uid/
init_list_runtime(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t)
# Recent versions of dbus are started as Type=notify
init_write_runtime_socket(system_dbusd_t)
')
tunable_policy(`dbus_pass_tuntap_fd',`
corenet_rw_tun_tap_dev(system_dbusd_t)
')
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_runtime_files(system_dbusd_t)
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
# for passing around terminal file handles for machinectl shell
systemd_use_inherited_machined_ptys(system_dbusd_t)
# allow populating of /var/lib/dbus by systemd-tmpfilesd
systemd_tmpfilesd_managed(system_dbusd_var_lib_t)
')
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
optional_policy(`
policykit_read_lib(system_dbusd_t)
')
optional_policy(`
seutil_sigchld_newrole(system_dbusd_t)
')
optional_policy(`
tpm2_rw_abrmd_pipes(system_dbusd_t)
')
optional_policy(`
unconfined_dbus_send(system_dbusd_t)
')
optional_policy(`
xserver_read_xdm_lib_files(system_dbusd_t)
xserver_use_xdm_fds(system_dbusd_t)
')
########################################
#
# Common session bus local policy
#
dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
dontaudit session_bus_type self:process { ptrace setrlimit };
allow session_bus_type self:file rw_inherited_file_perms;
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
allow session_bus_type self:unix_stream_socket { accept listen };
allow session_bus_type self:tcp_socket { accept listen };
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
allow session_bus_type dbusd_etc_t:dir watch;
manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
kernel_read_crypto_sysctls(session_bus_type)
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)
corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)
dev_read_urand(session_bus_type)
domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)
files_list_home(session_bus_type)
files_read_usr_files(session_bus_type)
files_watch_usr_dirs(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_cgroup(session_bus_type)
fs_getattr_romfs(session_bus_type)
fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
kernel_getattr_proc(session_bus_type)
selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
selinux_compute_relabel_context(session_bus_type)
selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
logging_send_syslog_msg(session_bus_type)
miscfiles_read_localization(session_bus_type)
seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)
term_use_all_terms(session_bus_type)
optional_policy(`
xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
########################################
#
# Unconfined access to this module
#
allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
Reference in New Issue View Git Blame Copy Permalink