From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DF0A4138010 for ; Sat, 6 Oct 2012 15:58:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7FCCDE058A; Sat, 6 Oct 2012 15:56:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 634ABE0552 for ; Sat, 6 Oct 2012 15:56:40 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9373A33D78D for ; Sat, 6 Oct 2012 15:56:39 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 00334E544C for ; Sat, 6 Oct 2012 15:56:37 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349538788.09c6c156df57087c0541ea48cf809baca889472e.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/bind.te policy/modules/contrib/dbus.fc policy/modules/contrib/dbus.if policy/modules/contrib/dbus.te policy/modules/contrib/policykit.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 09c6c156df57087c0541ea48cf809baca889472e X-VCS-Branch: master Date: Sat, 6 Oct 2012 15:56:37 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: bc5e95dc-f8e6-4dcb-b129-e3c1f91f3e05 X-Archives-Hash: 10d038617b0b69c50469547ac1741961 commit: 09c6c156df57087c0541ea48cf809baca889472e Author: Dominick Grift gmail com> AuthorDate: Fri Oct 5 17:10:11 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 6 15:53:08 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=09c6c156 Changes to the dbus policy module Declare a session_dbusd_home_t userdom user home content type and label $HOME/\.dbus accordingly Allow dbus_role_template callers to manage and relabel session dbusd content in tmp and and user home. Allow session_bus_type to manage session dbusd content in user home Bind, policykit_auth and dhcpc are dbus system domains Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/bind.te | 7 +++---- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.if | 8 ++++++++ policy/modules/contrib/dbus.te | 17 +++++++++-------- policy/modules/contrib/policykit.te | 4 ++-- 5 files changed, 24 insertions(+), 14 deletions(-) diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te index 03790cc..481da8c 100644 --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.12.5) +policy_module(bind, 1.12.6) ######################################## # @@ -169,13 +169,12 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` + dbus_system_domain(named_t, named_exec_t) + init_dbus_chat_script(named_t) sysnet_dbus_chat_dhcpc(named_t) - dbus_system_bus_client(named_t) - dbus_connect_system_bus(named_t) - optional_policy(` networkmanager_dbus_chat(named_t) ') diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc index 897f816..dda905b 100644 --- a/policy/modules/contrib/dbus.fc +++ b/policy/modules/contrib/dbus.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) + /etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if index d3fd93d..c9efe1a 100644 --- a/policy/modules/contrib/dbus.if +++ b/policy/modules/contrib/dbus.if @@ -43,6 +43,7 @@ template(`dbus_role_template',` class dbus { send_msg acquire_svc }; attribute session_bus_type; type system_dbusd_t, dbusd_exec_t; + type session_dbusd_tmp_t, session_dbusd_home_t; ') ############################## @@ -67,6 +68,13 @@ template(`dbus_role_template',` allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 session_dbusd_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $3 session_dbusd_home_t:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") + + allow $3 session_dbusd_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $3 session_dbusd_tmp_t:file { manage_file_perms relabel_file_perms }; + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) ps_process_pattern($3, $1_dbusd_t) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index e57780d..7de53c3 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -1,4 +1,4 @@ -policy_module(dbus, 1.18.1) +policy_module(dbus, 1.18.2) gen_require(` class dbus all_dbus_perms; @@ -19,6 +19,9 @@ type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) typealias dbusd_exec_t alias system_dbusd_exec_t; +type session_dbusd_home_t; +userdom_user_home_content(session_dbusd_home_t) + type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; @@ -132,16 +135,11 @@ miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) -seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) optional_policy(` - bind_domtrans(system_dbusd_t) -') - -optional_policy(` bluetooth_stream_connect(system_dbusd_t) ') @@ -151,12 +149,11 @@ optional_policy(` optional_policy(` policykit_dbus_chat(system_dbusd_t) - policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) + seutil_sigchld_newrole(system_dbusd_t) ') optional_policy(` @@ -183,6 +180,10 @@ allow session_bus_type dbusd_etc_t:dir list_dir_perms; read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) +manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") + manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te index e76b78f..6e6a13f 100644 --- a/policy/modules/contrib/policykit.te +++ b/policy/modules/contrib/policykit.te @@ -1,4 +1,4 @@ -policy_module(policykit, 1.2.3) +policy_module(policykit, 1.2.4) ######################################## # @@ -105,7 +105,7 @@ miscfiles_read_localization(policykit_auth_t) userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` - dbus_system_bus_client(policykit_auth_t) + dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) dbus_all_session_bus_client(policykit_auth_t) optional_policy(`