1 ## <summary>Desktop messaging bus</summary>
3 ########################################
5 ## DBUS stub interface. No access allowed.
7 ## <param name="domain" unused="true">
9 ## Domain allowed access
13 interface(`dbus_stub',`
16 class dbus all_dbus_perms;
20 ########################################
22 ## Role access for dbus
24 ## <param name="role_prefix">
26 ## The prefix of the user role (e.g., user
27 ## is the prefix for user_r).
30 ## <param name="role">
32 ## Role allowed access
35 ## <param name="domain">
37 ## User domain for the role
41 template(`dbus_role_template',`
43 class dbus { send_msg acquire_svc };
45 attribute dbusd_unconfined;
46 attribute session_bus_type;
47 type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
51 ##############################
56 type $1_dbusd_t, session_bus_type;
57 domain_type($1_dbusd_t)
58 domain_entry_file($1_dbusd_t, dbusd_exec_t)
59 ubac_constrained($1_dbusd_t)
60 role $2 types $1_dbusd_t;
62 ##############################
67 allow $1_dbusd_t self:process { getattr sigkill signal };
68 dontaudit $1_dbusd_t self:process ptrace;
69 allow $1_dbusd_t self:file { getattr read write };
70 allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
71 allow $1_dbusd_t self:dbus { send_msg acquire_svc };
72 allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
73 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
74 allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
75 allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
77 # For connecting to the bus
78 allow $3 $1_dbusd_t:unix_stream_socket connectto;
80 # SE-DBus specific permissions
81 allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
82 allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
84 allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
85 read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
86 read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
88 manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
89 manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
90 files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
92 domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
93 allow $3 $1_dbusd_t:process { signull sigkill signal };
95 # cjp: this seems very broken
96 corecmd_bin_domtrans($1_dbusd_t, $1_t)
97 allow $1_dbusd_t $3:process sigkill;
98 allow $3 $1_dbusd_t:fd use;
99 allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
100 allow $3 $1_dbusd_t:process sigchld;
102 kernel_read_system_state($1_dbusd_t)
103 kernel_read_kernel_sysctls($1_dbusd_t)
105 corecmd_list_bin($1_dbusd_t)
106 corecmd_read_bin_symlinks($1_dbusd_t)
107 corecmd_read_bin_files($1_dbusd_t)
108 corecmd_read_bin_pipes($1_dbusd_t)
109 corecmd_read_bin_sockets($1_dbusd_t)
111 corenet_all_recvfrom_unlabeled($1_dbusd_t)
112 corenet_all_recvfrom_netlabel($1_dbusd_t)
113 corenet_tcp_sendrecv_generic_if($1_dbusd_t)
114 corenet_tcp_sendrecv_generic_node($1_dbusd_t)
115 corenet_tcp_sendrecv_all_ports($1_dbusd_t)
116 corenet_tcp_bind_generic_node($1_dbusd_t)
117 corenet_tcp_bind_reserved_port($1_dbusd_t)
119 dev_read_urand($1_dbusd_t)
121 domain_use_interactive_fds($1_dbusd_t)
122 domain_read_all_domains_state($1_dbusd_t)
124 files_read_etc_files($1_dbusd_t)
125 files_list_home($1_dbusd_t)
126 files_read_usr_files($1_dbusd_t)
127 files_dontaudit_search_var($1_dbusd_t)
129 fs_getattr_romfs($1_dbusd_t)
130 fs_getattr_xattr_fs($1_dbusd_t)
131 fs_list_inotifyfs($1_dbusd_t)
132 fs_dontaudit_list_nfs($1_dbusd_t)
134 selinux_get_fs_mount($1_dbusd_t)
135 selinux_validate_context($1_dbusd_t)
136 selinux_compute_access_vector($1_dbusd_t)
137 selinux_compute_create_context($1_dbusd_t)
138 selinux_compute_relabel_context($1_dbusd_t)
139 selinux_compute_user_contexts($1_dbusd_t)
141 auth_read_pam_console_data($1_dbusd_t)
142 auth_use_nsswitch($1_dbusd_t)
144 logging_send_audit_msgs($1_dbusd_t)
145 logging_send_syslog_msg($1_dbusd_t)
147 miscfiles_read_localization($1_dbusd_t)
149 seutil_read_config($1_dbusd_t)
150 seutil_read_default_contexts($1_dbusd_t)
152 term_use_all_terms($1_dbusd_t)
154 userdom_dontaudit_search_admin_dir($1_dbusd_t)
155 userdom_manage_user_home_content_dirs($1_dbusd_t)
156 userdom_manage_user_home_content_files($1_dbusd_t)
157 userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
159 ifdef(`hide_broken_symptoms', `
160 dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
164 gnome_read_gconf_home_files($1_dbusd_t)
168 hal_dbus_chat($1_dbusd_t)
172 xserver_use_xdm_fds($1_dbusd_t)
173 xserver_rw_xdm_pipes($1_dbusd_t)
177 #######################################
179 ## Template for creating connections to
182 ## <param name="domain">
184 ## Domain allowed access.
188 interface(`dbus_system_bus_client',`
190 type system_dbusd_t, system_dbusd_t;
191 type system_dbusd_var_run_t, system_dbusd_var_lib_t;
193 attribute dbusd_unconfined;
196 # SE-DBus specific permissions
197 allow $1 { system_dbusd_t self }:dbus send_msg;
198 allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
200 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
201 files_search_var_lib($1)
203 # For connecting to the bus
204 files_search_pids($1)
205 stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
209 #######################################
211 ## Template for creating connections to
214 ## <param name="domain">
216 ## Domain allowed access.
220 interface(`dbus_session_bus_client',`
222 attribute session_bus_type;
226 # SE-DBus specific permissions
227 allow $1 { session_bus_type self }:dbus send_msg;
229 # For connecting to the bus
230 allow $1 session_bus_type:unix_stream_socket connectto;
233 ########################################
235 ## Send a message the session DBUS.
237 ## <param name="domain">
239 ## Domain allowed access.
243 interface(`dbus_send_session_bus',`
245 attribute session_bus_type;
249 allow $1 session_bus_type:dbus send_msg;
252 ########################################
254 ## Read dbus configuration.
256 ## <param name="domain">
258 ## Domain allowed access.
262 interface(`dbus_read_config',`
267 allow $1 dbusd_etc_t:dir list_dir_perms;
268 allow $1 dbusd_etc_t:file read_file_perms;
271 ########################################
273 ## Read system dbus lib files.
275 ## <param name="domain">
277 ## Domain allowed access.
281 interface(`dbus_read_lib_files',`
283 type system_dbusd_var_lib_t;
286 files_search_var_lib($1)
287 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
290 ########################################
292 ## Create, read, write, and delete
293 ## system dbus lib files.
295 ## <param name="domain">
297 ## Domain allowed access.
301 interface(`dbus_manage_lib_files',`
303 type system_dbusd_var_lib_t;
306 files_search_var_lib($1)
307 manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
310 ########################################
312 ## Connect to the system DBUS
313 ## for service (acquire_svc).
315 ## <param name="domain">
317 ## Domain allowed access.
321 interface(`dbus_connect_session_bus',`
323 attribute session_bus_type;
324 class dbus acquire_svc;
327 allow $1 session_bus_type:dbus acquire_svc;
330 ########################################
332 ## Allow a application domain to be started
333 ## by the session dbus.
335 ## <param name="domain">
337 ## Type to be used as a domain.
340 ## <param name="entry_point">
342 ## Type of the program to be used as an
343 ## entry point to this domain.
347 interface(`dbus_session_domain',`
349 attribute session_bus_type;
352 domtrans_pattern(session_bus_type, $2, $1)
354 dbus_session_bus_client($1)
355 dbus_connect_session_bus($1)
358 ########################################
360 ## Connect to the system DBUS
361 ## for service (acquire_svc).
363 ## <param name="domain">
365 ## Domain allowed access.
369 interface(`dbus_connect_system_bus',`
372 class dbus acquire_svc;
375 allow $1 system_dbusd_t:dbus acquire_svc;
378 ########################################
380 ## Send a message on the system DBUS.
382 ## <param name="domain">
384 ## Domain allowed access.
388 interface(`dbus_send_system_bus',`
394 allow $1 system_dbusd_t:dbus send_msg;
397 ########################################
399 ## Allow unconfined access to the system DBUS.
401 ## <param name="domain">
403 ## Domain allowed access.
407 interface(`dbus_system_bus_unconfined',`
410 class dbus all_dbus_perms;
413 allow $1 system_dbusd_t:dbus *;
416 ########################################
418 ## Create a domain for processes
419 ## which can be started by the system dbus
421 ## <param name="domain">
423 ## Type to be used as a domain.
426 ## <param name="entry_point">
428 ## Type of the program to be used as an entry point to this domain.
432 interface(`dbus_system_domain',`
439 domain_entry_file($1, $2)
441 role system_r types $1;
443 domtrans_pattern(system_dbusd_t, $2, $1)
447 dbus_system_bus_client($1)
448 dbus_connect_system_bus($1)
450 init_stream_connect($1)
452 ps_process_pattern(system_dbusd_t, $1)
454 userdom_dontaudit_search_admin_dir($1)
455 userdom_read_all_users_state($1)
458 rpm_script_dbus_chat($1)
462 unconfined_dbus_send($1)
465 ifdef(`hide_broken_symptoms', `
466 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
470 ########################################
472 ## Dontaudit Read, and write system dbus TCP sockets.
474 ## <param name="domain">
476 ## Domain to not audit.
480 interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
485 allow $1 system_dbusd_t:tcp_socket { read write };
486 allow $1 system_dbusd_t:fd use;
489 ########################################
491 ## Allow unconfined access to the system DBUS.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`dbus_unconfined',`
501 attribute dbusd_unconfined;
504 typeattribute $1 dbusd_unconfined;
507 ########################################
509 ## Delete all dbus pid files
511 ## <param name="domain">
513 ## Domain allowed access.
517 interface(`dbus_delete_pid_files',`
519 type system_dbusd_var_run_t;
522 delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)