From 751926c0fbba4bf7105622ee65888b66740847a0 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sat, 23 Jun 2018 10:38:58 -0400 Subject: Move all files out of the old contrib directory. --- policy/modules/services/dbus.if | 614 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 614 insertions(+) create mode 100644 policy/modules/services/dbus.if (limited to 'policy/modules/services/dbus.if') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if new file mode 100644 index 00000000..01e353ed --- /dev/null +++ b/policy/modules/services/dbus.if @@ -0,0 +1,614 @@ +## Desktop messaging bus. + +######################################## +## +## DBUS stub interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`dbus_stub',` + gen_require(` + type system_dbusd_t; + class dbus all_dbus_perms; + ') +') + +######################################## +## +## Role access for dbus. +## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +template(`dbus_role_template',` + gen_require(` + class dbus { send_msg acquire_svc }; + attribute session_bus_type; + type system_dbusd_t, dbusd_exec_t; + type session_dbusd_tmp_t, session_dbusd_home_t; + ') + + ############################## + # + # Declarations + # + + type $1_dbusd_t, session_bus_type; + domain_type($1_dbusd_t) + domain_entry_file($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) + + role $2 types $1_dbusd_t; + + ############################## + # + # Local policy + # + + allow $3 $1_dbusd_t:unix_stream_socket connectto; + allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 $1_dbusd_t:fd use; + + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + + ps_process_pattern($3, $1_dbusd_t) + allow $3 $1_dbusd_t:process { ptrace signal_perms }; + + allow $1_dbusd_t $3:process sigkill; + + corecmd_bin_domtrans($1_dbusd_t, $3) + corecmd_shell_domtrans($1_dbusd_t, $3) + + auth_use_nsswitch($1_dbusd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; + ') + + ifdef(`distro_gentoo',` + optional_policy(` + xdg_read_data_home_files($1_dbusd_t) + ') + ') + + optional_policy(` + systemd_read_logind_pids($1_dbusd_t) + ') +') + +####################################### +## +## Template for creating connections to +## the system bus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_system_bus_client',` + gen_require(` + attribute dbusd_system_bus_client; + type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; + ') + + typeattribute $1 dbusd_system_bus_client; + + allow $1 { system_dbusd_t self }:dbus send_msg; + allow system_dbusd_t $1:dbus send_msg; + + files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + + dbus_read_config($1) + + ifdef(`distro_gentoo',` + # The /var/lib/dbus/machine-id file is a link to /etc/machine-id + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') +') + +####################################### +## +## Acquire service on all DBUS +## session busses. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_connect_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus acquire_svc; + ') + + allow $1 session_bus_type:dbus acquire_svc; +') + +####################################### +## +## Acquire service on specified +## DBUS session bus. +## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_connect_spec_session_bus',` + gen_require(` + type $1_dbusd_t; + class dbus acquire_svc; + ') + + allow $2 $1_dbusd_t:dbus acquire_svc; +') + +####################################### +## +## Creating connections to all +## DBUS session busses. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_all_session_bus_client',` + gen_require(` + attribute session_bus_type, dbusd_session_bus_client; + class dbus send_msg; + ') + + typeattribute $1 dbusd_session_bus_client; + + allow $1 { session_bus_type self }:dbus send_msg; + allow session_bus_type $1:dbus send_msg; + + allow $1 session_bus_type:unix_stream_socket connectto; + allow $1 session_bus_type:fd use; +') + +####################################### +## +## Creating connections to specified +## DBUS session bus. +## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_spec_session_bus_client',` + gen_require(` + attribute dbusd_session_bus_client; + type $1_dbusd_t; + class dbus send_msg; + ') + + typeattribute $2 dbusd_session_bus_client; + + allow $2 { $1_dbusd_t self }:dbus send_msg; + allow $1_dbusd_t $2:dbus send_msg; + + allow $2 $1_dbusd_t:unix_stream_socket connectto; + allow $2 $1_dbusd_t:fd use; +') + +####################################### +## +## Send messages to all DBUS +## session busses. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_send_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + + allow $1 session_bus_type:dbus send_msg; +') + +####################################### +## +## Send messages to specified +## DBUS session busses. +## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_send_spec_session_bus',` + gen_require(` + type $1_dbusd_t; + class dbus send_msg; + ') + + allow $2 $1_dbusd_t:dbus send_msg; +') + +######################################## +## +## Read dbus configuration content. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_read_config',` + gen_require(` + type dbusd_etc_t; + ') + + allow $1 dbusd_etc_t:dir list_dir_perms; + allow $1 dbusd_etc_t:file read_file_perms; +') + +######################################## +## +## Read system dbus lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_read_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## system dbus lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_manage_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## +## Allow a application domain to be +## started by the specified session bus. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an +## entry point to this domain. +## +## +# +interface(`dbus_all_session_domain',` + gen_require(` + attribute session_bus_type; + ') + + domtrans_pattern(session_bus_type, $2, $1) + + dbus_all_session_bus_client($1) + dbus_connect_all_session_bus($1) +') + +######################################## +## +## Allow a application domain to be +## started by the specified session bus. +## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an +## entry point to this domain. +## +## +# +interface(`dbus_spec_session_domain',` + gen_require(` + type $1_dbusd_t; + ') + + domtrans_pattern($1_dbusd_t, $3, $2) + + dbus_spec_session_bus_client($1, $2) + dbus_connect_spec_session_bus($1, $2) +') + +######################################## +## +## Acquire service on the DBUS system bus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_connect_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus acquire_svc; + ') + + allow $1 system_dbusd_t:dbus acquire_svc; +') + +######################################## +## +## Send messages to the DBUS system bus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_send_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus send_msg; + ') + + allow $1 system_dbusd_t:dbus send_msg; +') + +######################################## +## +## Unconfined access to DBUS system bus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_system_bus_unconfined',` + gen_require(` + type system_dbusd_t; + class dbus { acquire_svc send_msg }; + ') + + allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; +') + +######################################## +## +## Create a domain for processes which +## can be started by the DBUS system bus. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`dbus_system_domain',` + gen_require(` + type system_dbusd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(system_dbusd_t, $2, $1) + + dbus_system_bus_client($1) + dbus_connect_system_bus($1) + + ps_process_pattern(system_dbusd_t, $1) + + userdom_read_all_users_state($1) + + ifdef(`init_systemd',` + init_daemon_domain($1, $2) + ') + + ifdef(`hide_broken_symptoms', ` + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + ') +') + +######################################## +## +## Use and inherit DBUS system bus +## file descriptors. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_use_system_bus_fds',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:fd use; +') + +######################################## +## +## Do not audit attempts to read and +## write DBUS system bus TCP sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` + gen_require(` + type system_dbusd_t; + ') + + dontaudit $1 system_dbusd_t:tcp_socket { read write }; +') + +######################################## +## +## Unconfined access to DBUS. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_unconfined',` + gen_require(` + attribute dbusd_unconfined; + ') + + typeattribute $1 dbusd_unconfined; +') + +######################################## +## +## Create resources in /run or /var/run with the system_dbusd_var_run_t +## label. This method is deprecated in favor of the init_daemon_run_dir +## call. +## +## +## +## Domain allowed access +## +## +## +## +## Classes supported for the created resources +## +## +## +## +## Optional file name used for the resource +## +## +# +interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## +## Create directories with the system_dbusd_var_run_t label +## +## +## +## Domain allowed access +## +## +# +interface(`dbus_create_system_dbusd_var_run_dirs',` + gen_require(` + type system_dbusd_var_run_t; + ') + + create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') + + -- cgit v1.2.3-65-gdbad