[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Mon, 05 Jun 2017 10:26:11 -0700 

commit:     e2346cfeb76c46e1dbf2afc99f792f053693c899
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu May 25 11:23:26 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun  5 17:16:18 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2346cfe

dbus: let session bus daemon manage user runtime dirs

Let the session dbus process manage user runtime directories (with
its own file type).

This is the fifth version (v5) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements,
although unfortunately this new version needs to revert one of the
suggested amendments because it was misleading.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>

 policy/modules/contrib/dbus.fc | 2 ++
 policy/modules/contrib/dbus.te | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c2a15358..eba45221 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?                           
gen_context(system_u:object_r:session_dbusd_home_t,s0)
 
 /run/dbus(/.*)?                                        
gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 /run/messagebus\.pid                   --      
gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus                        -s      
gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)?               
gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
 
 /usr/bin/dbus-daemon(-1)?              --      
gen_context(system_u:object_r:dbusd_exec_t,s0)
 

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index ca39fb6b..007de863 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
 
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
 ifdef(`enable_mcs',`
        init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - 
mcs_systemhigh)
 ')
@@ -210,6 +213,11 @@ manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, 
session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, 
session_dbusd_tmp_t)
 files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
 
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, 
session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, 
session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, 
session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { 
dir file sock_file })
+
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)

Reply via email to