Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/dbus.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/dbus.if')
-rw-r--r--policy/modules/contrib/dbus.if507
1 files changed, 507 insertions, 0 deletions
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
new file mode 100644
index 000000000..57dd64bfc
--- /dev/null
+++ b/policy/modules/contrib/dbus.if
@@ -0,0 +1,507 @@
+## <summary>Desktop messaging bus</summary>
+
+########################################
+## <summary>
+## DBUS stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dbus_stub',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for dbus
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+
+ attribute session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ ')
+
+ ##############################
+ #
+ # Delcarations
+ #
+
+ type $1_dbusd_t, session_bus_type;
+ domain_type($1_dbusd_t)
+ domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+ dontaudit $1_dbusd_t self:process ptrace;
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+ allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+ read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+ manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $3)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_dbusd_t:process sigchld;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+
+ corecmd_list_bin($1_dbusd_t)
+ corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_files($1_dbusd_t)
+ corecmd_read_bin_pipes($1_dbusd_t)
+ corecmd_read_bin_sockets($1_dbusd_t)
+
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+ corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+ corenet_tcp_bind_generic_node($1_dbusd_t)
+ corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+ dev_read_urand($1_dbusd_t)
+
+ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+ files_list_home($1_dbusd_t)
+ files_read_usr_files($1_dbusd_t)
+ files_dontaudit_search_var($1_dbusd_t)
+
+ fs_getattr_romfs($1_dbusd_t)
+ fs_getattr_xattr_fs($1_dbusd_t)
+ fs_list_inotifyfs($1_dbusd_t)
+ fs_dontaudit_list_nfs($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+ selinux_validate_context($1_dbusd_t)
+ selinux_compute_access_vector($1_dbusd_t)
+ selinux_compute_create_context($1_dbusd_t)
+ selinux_compute_relabel_context($1_dbusd_t)
+ selinux_compute_user_contexts($1_dbusd_t)
+
+ auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
+
+ logging_send_audit_msgs($1_dbusd_t)
+ logging_send_syslog_msg($1_dbusd_t)
+
+ miscfiles_read_localization($1_dbusd_t)
+
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
+ term_use_all_terms($1_dbusd_t)
+
+ userdom_read_user_home_content_files($1_dbusd_t)
+
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xdg_read_generic_data_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_client',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow system_dbusd_t $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+
+ # For connecting to the bus
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+ dbus_read_config($1)
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## a user DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_session_bus_client',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+
+ dontaudit $1 session_bus_type:fd use;
+')
+
+########################################
+## <summary>
+## Send a message the session DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 session_bus_type:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read dbus configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_config',`
+ gen_require(`
+ type dbusd_etc_t;
+ ')
+
+ allow $1 dbusd_etc_t:dir list_dir_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read system dbus lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## system dbus lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Connect to the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 session_bus_type:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Allow a application domain to be started
+## by the session dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an
+## entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_session_domain',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ domtrans_pattern(session_bus_type, $2, $1)
+
+ dbus_session_bus_client($1)
+ dbus_connect_session_bus($1)
+')
+
+########################################
+## <summary>
+## Connect to the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_connect_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Send a message on the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 system_dbusd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
+ ps_process_pattern(system_dbusd_t, $1)
+
+ userdom_read_all_users_state($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_use_system_bus_fds',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+## Dontaudit Read, and write system dbus TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')