[refpolicy] [Dbus 1/1] Various fixes.

[refpolicy] [Dbus 1/1] Various fixes.

[Dominick Grift]

Removed some unused dbus interfaces that really were too coarse anyway.
Renamed dbus_connect_session_bus to dbus_rename_all_session_bus for pulseaudio.
This interface should really changed into something more specific.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5c2680c... 333cf99... M	policy/modules/apps/pulseaudio.te
:100644 100644 39e901a... 4d16a6b... M	policy/modules/services/dbus.if
 policy/modules/apps/pulseaudio.te |    2 +-
 policy/modules/services/dbus.if   |   51 +-----------------------------------
 2 files changed, 3 insertions(+), 50 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 5c2680c..333cf99 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -107,7 +107,7 @@ optional_policy(`
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
 	dbus_system_bus_client(pulseaudio_t)
 	dbus_session_bus_client(pulseaudio_t)
-	dbus_connect_session_bus(pulseaudio_t)
+	dbus_connect_all_session_bus(pulseaudio_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(pulseaudio_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..4d16a6b 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -221,25 +221,6 @@ interface(`dbus_session_bus_client',`
 
 ########################################
 ## <summary>
-##	Send a message the session DBUS.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dbus_send_session_bus',`
-	gen_require(`
-		attribute session_bus_type;
-		class dbus send_msg;
-	')
-
-	allow $1 session_bus_type:dbus send_msg;
-')
-
-########################################
-## <summary>
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
@@ -298,7 +279,7 @@ interface(`dbus_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Connect to the system DBUS
+##	Connect to all session DBUS
 ##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
@@ -307,7 +288,7 @@ interface(`dbus_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_session_bus',`
+interface(`dbus_connect_all_session_bus',`
 	gen_require(`
 		attribute session_bus_type;
 		class dbus acquire_svc;
@@ -318,34 +299,6 @@ interface(`dbus_connect_session_bus',`
 
 ########################################
 ## <summary>
-##	Allow a application domain to be started
-##	by the session dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
-##	</summary>
-## </param>
-#
-interface(`dbus_session_domain',`
-	gen_require(`
-		attribute session_bus_type;
-	')
-
-	domtrans_pattern(session_bus_type, $2, $1)
-
-	dbus_session_bus_client($1)
-	dbus_connect_session_bus($1)
-')
-
-########################################
-## <summary>
 ##	Connect to the system DBUS
 ##	for service (acquire_svc).
 ## </summary>
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/3d4758cc/attachment.bin 

[refpolicy] [Dbus 1/1] Various fixes.

[Dominick Grift]

On Thu, Sep 09, 2010 at 08:05:26AM -0400, Christopher J. PeBenito wrote:
> On 09/03/10 06:01, Dominick Grift wrote:
> >Removed some unused dbus interfaces that really were too coarse anyway.
> >Renamed dbus_connect_session_bus to dbus_rename_all_session_bus for pulseaudio.
> >This interface should really changed into something more specific.
> 
> In this case I have to say no.  Dbus should just be one domain
> constrained by UBAC, but due to its unfortunate ability to run
> programs, it needs to have separate domains.  I still decided to
> keep the interfaces as if there was one domain.

Easy to say because refpolicy does not use them anyways. Atleast not the dbus_session_domain().
Once one starts confining user space (gnome apps etc), one will have to deal with this issue.

One calls a dbus_session_domain for one user, one calls it for all users (including unconfined_t) 

> 
> >Signed-off-by: Dominick Grift<domg472@gmail.com>
> >---
> >:100644 100644 5c2680c... 333cf99... M	policy/modules/apps/pulseaudio.te
> >:100644 100644 39e901a... 4d16a6b... M	policy/modules/services/dbus.if
> >  policy/modules/apps/pulseaudio.te |    2 +-
> >  policy/modules/services/dbus.if   |   51 +-----------------------------------
> >  2 files changed, 3 insertions(+), 50 deletions(-)
> >
> >diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> >index 5c2680c..333cf99 100644
> >--- a/policy/modules/apps/pulseaudio.te
> >+++ b/policy/modules/apps/pulseaudio.te
> >@@ -107,7 +107,7 @@ optional_policy(`
> >  	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
> >  	dbus_system_bus_client(pulseaudio_t)
> >  	dbus_session_bus_client(pulseaudio_t)
> >-	dbus_connect_session_bus(pulseaudio_t)
> >+	dbus_connect_all_session_bus(pulseaudio_t)
> >
> >  	optional_policy(`
> >  		consolekit_dbus_chat(pulseaudio_t)
> >diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> >index 39e901a..4d16a6b 100644
> >--- a/policy/modules/services/dbus.if
> >+++ b/policy/modules/services/dbus.if
> >@@ -221,25 +221,6 @@ interface(`dbus_session_bus_client',`
> >
> >  ########################################
> >  ##<summary>
> >-##	Send a message the session DBUS.
> >-##</summary>
> >-##<param name="domain">
> >-##	<summary>
> >-##	Domain allowed access.
> >-##	</summary>
> >-##</param>
> >-#
> >-interface(`dbus_send_session_bus',`
> >-	gen_require(`
> >-		attribute session_bus_type;
> >-		class dbus send_msg;
> >-	')
> >-
> >-	allow $1 session_bus_type:dbus send_msg;
> >-')
> >-
> >-########################################
> >-##<summary>
> >  ##	Read dbus configuration.
> >  ##</summary>
> >  ##<param name="domain">
> >@@ -298,7 +279,7 @@ interface(`dbus_manage_lib_files',`
> >
> >  ########################################
> >  ##<summary>
> >-##	Connect to the system DBUS
> >+##	Connect to all session DBUS
> >  ##	for service (acquire_svc).
> >  ##</summary>
> >  ##<param name="domain">
> >@@ -307,7 +288,7 @@ interface(`dbus_manage_lib_files',`
> >  ##	</summary>
> >  ##</param>
> >  #
> >-interface(`dbus_connect_session_bus',`
> >+interface(`dbus_connect_all_session_bus',`
> >  	gen_require(`
> >  		attribute session_bus_type;
> >  		class dbus acquire_svc;
> >@@ -318,34 +299,6 @@ interface(`dbus_connect_session_bus',`
> >
> >  ########################################
> >  ##<summary>
> >-##	Allow a application domain to be started
> >-##	by the session dbus.
> >-##</summary>
> >-##<param name="domain">
> >-##	<summary>
> >-##	Type to be used as a domain.
> >-##	</summary>
> >-##</param>
> >-##<param name="entry_point">
> >-##	<summary>
> >-##	Type of the program to be used as an
> >-##	entry point to this domain.
> >-##	</summary>
> >-##</param>
> >-#
> >-interface(`dbus_session_domain',`
> >-	gen_require(`
> >-		attribute session_bus_type;
> >-	')
> >-
> >-	domtrans_pattern(session_bus_type, $2, $1)
> >-
> >-	dbus_session_bus_client($1)
> >-	dbus_connect_session_bus($1)
> >-')
> >-
> >-########################################
> >-##<summary>
> >  ##	Connect to the system DBUS
> >  ##	for service (acquire_svc).
> >  ##</summary>
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/fddb92d0/attachment.bin