]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/dbus.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / dbus.if
1 ## <summary>Desktop messaging bus</summary>
2
3 ########################################
4 ## <summary>
5 ## DBUS stub interface. No access allowed.
6 ## </summary>
7 ## <param name="domain" unused="true">
8 ## <summary>
9 ## Domain allowed access
10 ## </summary>
11 ## </param>
12 #
13 interface(`dbus_stub',`
14 gen_require(`
15 type system_dbusd_t;
16 class dbus all_dbus_perms;
17 ')
18 ')
19
20 ########################################
21 ## <summary>
22 ## Role access for dbus
23 ## </summary>
24 ## <param name="role_prefix">
25 ## <summary>
26 ## The prefix of the user role (e.g., user
27 ## is the prefix for user_r).
28 ## </summary>
29 ## </param>
30 ## <param name="role">
31 ## <summary>
32 ## Role allowed access
33 ## </summary>
34 ## </param>
35 ## <param name="domain">
36 ## <summary>
37 ## User domain for the role
38 ## </summary>
39 ## </param>
40 #
41 template(`dbus_role_template',`
42 gen_require(`
43 class dbus { send_msg acquire_svc };
44
45 attribute dbusd_unconfined;
46 attribute session_bus_type;
47 type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
48 type $1_t;
49 ')
50
51 ##############################
52 #
53 # Delcarations
54 #
55
56 type $1_dbusd_t, session_bus_type;
57 domain_type($1_dbusd_t)
58 domain_entry_file($1_dbusd_t, dbusd_exec_t)
59 ubac_constrained($1_dbusd_t)
60 role $2 types $1_dbusd_t;
61
62 ##############################
63 #
64 # Local policy
65 #
66
67 allow $1_dbusd_t self:process { getattr sigkill signal };
68 dontaudit $1_dbusd_t self:process ptrace;
69 allow $1_dbusd_t self:file { getattr read write };
70 allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
71 allow $1_dbusd_t self:dbus { send_msg acquire_svc };
72 allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
73 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
74 allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
75 allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
76
77 # For connecting to the bus
78 allow $3 $1_dbusd_t:unix_stream_socket connectto;
79
80 # SE-DBus specific permissions
81 allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
82 allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
83
84 allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
85 read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
86 read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
87
88 manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
89 manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
90 files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
91
92 domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
93 allow $3 $1_dbusd_t:process { signull sigkill signal };
94
95 # cjp: this seems very broken
96 corecmd_bin_domtrans($1_dbusd_t, $1_t)
97 allow $1_dbusd_t $3:process sigkill;
98 allow $3 $1_dbusd_t:fd use;
99 allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
100 allow $3 $1_dbusd_t:process sigchld;
101
102 kernel_read_system_state($1_dbusd_t)
103 kernel_read_kernel_sysctls($1_dbusd_t)
104
105 corecmd_list_bin($1_dbusd_t)
106 corecmd_read_bin_symlinks($1_dbusd_t)
107 corecmd_read_bin_files($1_dbusd_t)
108 corecmd_read_bin_pipes($1_dbusd_t)
109 corecmd_read_bin_sockets($1_dbusd_t)
110
111 corenet_all_recvfrom_unlabeled($1_dbusd_t)
112 corenet_all_recvfrom_netlabel($1_dbusd_t)
113 corenet_tcp_sendrecv_generic_if($1_dbusd_t)
114 corenet_tcp_sendrecv_generic_node($1_dbusd_t)
115 corenet_tcp_sendrecv_all_ports($1_dbusd_t)
116 corenet_tcp_bind_generic_node($1_dbusd_t)
117 corenet_tcp_bind_reserved_port($1_dbusd_t)
118
119 dev_read_urand($1_dbusd_t)
120
121 domain_use_interactive_fds($1_dbusd_t)
122 domain_read_all_domains_state($1_dbusd_t)
123
124 files_read_etc_files($1_dbusd_t)
125 files_list_home($1_dbusd_t)
126 files_read_usr_files($1_dbusd_t)
127 files_dontaudit_search_var($1_dbusd_t)
128
129 fs_getattr_romfs($1_dbusd_t)
130 fs_getattr_xattr_fs($1_dbusd_t)
131 fs_list_inotifyfs($1_dbusd_t)
132 fs_dontaudit_list_nfs($1_dbusd_t)
133
134 selinux_get_fs_mount($1_dbusd_t)
135 selinux_validate_context($1_dbusd_t)
136 selinux_compute_access_vector($1_dbusd_t)
137 selinux_compute_create_context($1_dbusd_t)
138 selinux_compute_relabel_context($1_dbusd_t)
139 selinux_compute_user_contexts($1_dbusd_t)
140
141 auth_read_pam_console_data($1_dbusd_t)
142 auth_use_nsswitch($1_dbusd_t)
143
144 logging_send_audit_msgs($1_dbusd_t)
145 logging_send_syslog_msg($1_dbusd_t)
146
147 miscfiles_read_localization($1_dbusd_t)
148
149 seutil_read_config($1_dbusd_t)
150 seutil_read_default_contexts($1_dbusd_t)
151
152 term_use_all_terms($1_dbusd_t)
153
154 userdom_dontaudit_search_admin_dir($1_dbusd_t)
155 userdom_manage_user_home_content_dirs($1_dbusd_t)
156 userdom_manage_user_home_content_files($1_dbusd_t)
157 userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
158
159 ifdef(`hide_broken_symptoms', `
160 dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
161 ')
162
163 optional_policy(`
164 gnome_read_gconf_home_files($1_dbusd_t)
165 ')
166
167 optional_policy(`
168 hal_dbus_chat($1_dbusd_t)
169 ')
170
171 optional_policy(`
172 xserver_use_xdm_fds($1_dbusd_t)
173 xserver_rw_xdm_pipes($1_dbusd_t)
174 ')
175 ')
176
177 #######################################
178 ## <summary>
179 ## Template for creating connections to
180 ## the system DBUS.
181 ## </summary>
182 ## <param name="domain">
183 ## <summary>
184 ## Domain allowed access.
185 ## </summary>
186 ## </param>
187 #
188 interface(`dbus_system_bus_client',`
189 gen_require(`
190 type system_dbusd_t, system_dbusd_t;
191 type system_dbusd_var_run_t, system_dbusd_var_lib_t;
192 class dbus send_msg;
193 attribute dbusd_unconfined;
194 ')
195
196 # SE-DBus specific permissions
197 allow $1 { system_dbusd_t self }:dbus send_msg;
198 allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
199
200 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
201 files_search_var_lib($1)
202
203 # For connecting to the bus
204 files_search_pids($1)
205 stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
206 dbus_read_config($1)
207 ')
208
209 #######################################
210 ## <summary>
211 ## Template for creating connections to
212 ## a user DBUS.
213 ## </summary>
214 ## <param name="domain">
215 ## <summary>
216 ## Domain allowed access.
217 ## </summary>
218 ## </param>
219 #
220 interface(`dbus_session_bus_client',`
221 gen_require(`
222 attribute session_bus_type;
223 class dbus send_msg;
224 ')
225
226 # SE-DBus specific permissions
227 allow $1 { session_bus_type self }:dbus send_msg;
228
229 # For connecting to the bus
230 allow $1 session_bus_type:unix_stream_socket connectto;
231 ')
232
233 ########################################
234 ## <summary>
235 ## Send a message the session DBUS.
236 ## </summary>
237 ## <param name="domain">
238 ## <summary>
239 ## Domain allowed access.
240 ## </summary>
241 ## </param>
242 #
243 interface(`dbus_send_session_bus',`
244 gen_require(`
245 attribute session_bus_type;
246 class dbus send_msg;
247 ')
248
249 allow $1 session_bus_type:dbus send_msg;
250 ')
251
252 ########################################
253 ## <summary>
254 ## Read dbus configuration.
255 ## </summary>
256 ## <param name="domain">
257 ## <summary>
258 ## Domain allowed access.
259 ## </summary>
260 ## </param>
261 #
262 interface(`dbus_read_config',`
263 gen_require(`
264 type dbusd_etc_t;
265 ')
266
267 allow $1 dbusd_etc_t:dir list_dir_perms;
268 allow $1 dbusd_etc_t:file read_file_perms;
269 ')
270
271 ########################################
272 ## <summary>
273 ## Read system dbus lib files.
274 ## </summary>
275 ## <param name="domain">
276 ## <summary>
277 ## Domain allowed access.
278 ## </summary>
279 ## </param>
280 #
281 interface(`dbus_read_lib_files',`
282 gen_require(`
283 type system_dbusd_var_lib_t;
284 ')
285
286 files_search_var_lib($1)
287 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
288 ')
289
290 ########################################
291 ## <summary>
292 ## Create, read, write, and delete
293 ## system dbus lib files.
294 ## </summary>
295 ## <param name="domain">
296 ## <summary>
297 ## Domain allowed access.
298 ## </summary>
299 ## </param>
300 #
301 interface(`dbus_manage_lib_files',`
302 gen_require(`
303 type system_dbusd_var_lib_t;
304 ')
305
306 files_search_var_lib($1)
307 manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
308 ')
309
310 ########################################
311 ## <summary>
312 ## Connect to the system DBUS
313 ## for service (acquire_svc).
314 ## </summary>
315 ## <param name="domain">
316 ## <summary>
317 ## Domain allowed access.
318 ## </summary>
319 ## </param>
320 #
321 interface(`dbus_connect_session_bus',`
322 gen_require(`
323 attribute session_bus_type;
324 class dbus acquire_svc;
325 ')
326
327 allow $1 session_bus_type:dbus acquire_svc;
328 ')
329
330 ########################################
331 ## <summary>
332 ## Allow a application domain to be started
333 ## by the session dbus.
334 ## </summary>
335 ## <param name="domain">
336 ## <summary>
337 ## Type to be used as a domain.
338 ## </summary>
339 ## </param>
340 ## <param name="entry_point">
341 ## <summary>
342 ## Type of the program to be used as an
343 ## entry point to this domain.
344 ## </summary>
345 ## </param>
346 #
347 interface(`dbus_session_domain',`
348 gen_require(`
349 attribute session_bus_type;
350 ')
351
352 domtrans_pattern(session_bus_type, $2, $1)
353
354 dbus_session_bus_client($1)
355 dbus_connect_session_bus($1)
356 ')
357
358 ########################################
359 ## <summary>
360 ## Connect to the system DBUS
361 ## for service (acquire_svc).
362 ## </summary>
363 ## <param name="domain">
364 ## <summary>
365 ## Domain allowed access.
366 ## </summary>
367 ## </param>
368 #
369 interface(`dbus_connect_system_bus',`
370 gen_require(`
371 type system_dbusd_t;
372 class dbus acquire_svc;
373 ')
374
375 allow $1 system_dbusd_t:dbus acquire_svc;
376 ')
377
378 ########################################
379 ## <summary>
380 ## Send a message on the system DBUS.
381 ## </summary>
382 ## <param name="domain">
383 ## <summary>
384 ## Domain allowed access.
385 ## </summary>
386 ## </param>
387 #
388 interface(`dbus_send_system_bus',`
389 gen_require(`
390 type system_dbusd_t;
391 class dbus send_msg;
392 ')
393
394 allow $1 system_dbusd_t:dbus send_msg;
395 ')
396
397 ########################################
398 ## <summary>
399 ## Allow unconfined access to the system DBUS.
400 ## </summary>
401 ## <param name="domain">
402 ## <summary>
403 ## Domain allowed access.
404 ## </summary>
405 ## </param>
406 #
407 interface(`dbus_system_bus_unconfined',`
408 gen_require(`
409 type system_dbusd_t;
410 class dbus all_dbus_perms;
411 ')
412
413 allow $1 system_dbusd_t:dbus *;
414 ')
415
416 ########################################
417 ## <summary>
418 ## Create a domain for processes
419 ## which can be started by the system dbus
420 ## </summary>
421 ## <param name="domain">
422 ## <summary>
423 ## Type to be used as a domain.
424 ## </summary>
425 ## </param>
426 ## <param name="entry_point">
427 ## <summary>
428 ## Type of the program to be used as an entry point to this domain.
429 ## </summary>
430 ## </param>
431 #
432 interface(`dbus_system_domain',`
433 gen_require(`
434 type system_dbusd_t;
435 role system_r;
436 ')
437
438 domain_type($1)
439 domain_entry_file($1, $2)
440
441 role system_r types $1;
442
443 domtrans_pattern(system_dbusd_t, $2, $1)
444
445 fs_search_all($1)
446
447 dbus_system_bus_client($1)
448 dbus_connect_system_bus($1)
449
450 init_stream_connect($1)
451
452 ps_process_pattern(system_dbusd_t, $1)
453
454 userdom_dontaudit_search_admin_dir($1)
455 userdom_read_all_users_state($1)
456
457 optional_policy(`
458 rpm_script_dbus_chat($1)
459 ')
460
461 optional_policy(`
462 unconfined_dbus_send($1)
463 ')
464
465 ifdef(`hide_broken_symptoms', `
466 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
467 ')
468 ')
469
470 ########################################
471 ## <summary>
472 ## Dontaudit Read, and write system dbus TCP sockets.
473 ## </summary>
474 ## <param name="domain">
475 ## <summary>
476 ## Domain to not audit.
477 ## </summary>
478 ## </param>
479 #
480 interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
481 gen_require(`
482 type system_dbusd_t;
483 ')
484
485 allow $1 system_dbusd_t:tcp_socket { read write };
486 allow $1 system_dbusd_t:fd use;
487 ')
488
489 ########################################
490 ## <summary>
491 ## Allow unconfined access to the system DBUS.
492 ## </summary>
493 ## <param name="domain">
494 ## <summary>
495 ## Domain allowed access.
496 ## </summary>
497 ## </param>
498 #
499 interface(`dbus_unconfined',`
500 gen_require(`
501 attribute dbusd_unconfined;
502 ')
503
504 typeattribute $1 dbusd_unconfined;
505 ')
506
507 ########################################
508 ## <summary>
509 ## Delete all dbus pid files
510 ## </summary>
511 ## <param name="domain">
512 ## <summary>
513 ## Domain allowed access.
514 ## </summary>
515 ## </param>
516 #
517 interface(`dbus_delete_pid_files',`
518 gen_require(`
519 type system_dbusd_var_run_t;
520 ')
521
522 delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
523 ')
524
The IPFire selinux policy.