From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 28 Feb 2011 19:30:41 +0100
Subject: [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission
 to the dbus module
In-Reply-To: <4D6BB5C1.5040609@tresys.com>
References: <1297838137.3205.106.camel@tesla.lan> <4D6BB5C1.5040609@tresys.com>
Message-ID: <1298917841.3123.5.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher !

On Mon, 28/02/2011 at 09.48 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
> > This patch adds self:capability sys_ptrace to the dbus module.
> > 
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
> > @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
> >  
> >  # dac_override: /var/run/dbus is owned by messagebus on Debian
> >  # cjp: dac_override should probably go in a distro_debian
> > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> >  dontaudit system_dbusd_t self:capability sys_tty_config;
> >  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> >  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> 
> I find this highly questionable.  It needs justification.

After testing with the latest dbus, there are even more:

+ sys_resource in capability
and
+ setrlimit in process.

What's the latest version of dbus that you have tested ?

Regards,

Guido