* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
@ 2011-01-24 0:43 Guido Trentalancia
2011-01-24 14:24 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2011-01-24 0:43 UTC (permalink / raw)
To: refpolicy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
--- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
@@ -1 +1,42 @@
## <summary>Command-line CPU frequency settings.</summary>
+
+########################################
+## <summary>
+## Send a dbus message to
+## cpufreq-selector.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cpufreqselector_dbus_send',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cpufreq-selector over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cpufreqselector_dbus_chat',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+ allow cpufreqselector_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te
--- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te 2011-01-08 19:07:21.177731088 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te 2011-01-23 22:00:15.085140190 +0100
@@ -50,3 +50,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(cpufreqselector_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-dbus/policy/modules/services/avahi.if
--- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.if 2011-01-23 22:00:15.086140351 +0100
@@ -75,6 +75,25 @@ interface(`avahi_signull',`
########################################
## <summary>
+## Send a dbus message to avahi.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_dbus_send',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## avahi over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-dbus/policy/modules/services/avahi.te
--- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.te 2011-01-23 22:00:15.087140512 +0100
@@ -104,9 +104,17 @@ optional_policy(`
')
optional_policy(`
+ ntp_dbus_send(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
optional_policy(`
udev_read_db(avahi_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(avahi_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if
--- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if 2011-01-23 22:00:15.089140834 +0100
@@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
+## Send a dbus message to
+## consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dbus_send',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## consolekit over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-dbus/policy/modules/services/dbus.te
--- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 22:01:53.627052747 +0100
@@ -141,6 +141,27 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ cpufreqselector_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(system_dbusd_t)
+ devicekit_dbus_send_power(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -154,6 +175,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_chat(system_dbusd_t)
+')
+
########################################
#
# Unconfined access to this module
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if
--- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if 2011-01-23 22:06:30.631464531 +0100
@@ -39,6 +39,44 @@ interface(`devicekit_dgram_send',`
########################################
## <summary>
+## Send a dbus message to devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send a dbus message to devicekit disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit over dbus.
## </summary>
@@ -98,6 +136,25 @@ interface(`devicekit_signal_power',`
')
########################################
+## <summary>
+## Send a dbus message to devicekit power.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+')
+
+########################################
## <summary>
## Send and receive messages from
## devicekit power over dbus.
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te
--- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te 2011-01-23 22:00:15.100142603 +0100
@@ -178,6 +178,10 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
@@ -282,3 +286,7 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_power_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-dbus/policy/modules/services/hal.te
--- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/hal.te 2011-01-23 22:00:15.102142923 +0100
@@ -338,6 +338,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(hald_t)
+')
+
########################################
#
# Hal acl local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if
--- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if 2011-01-23 22:00:15.103143084 +0100
@@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
########################################
## <summary>
+## Send a dbus message to NetworkManager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_send',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te
--- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te 2011-01-23 22:00:15.104143245 +0100
@@ -265,6 +265,10 @@ optional_policy(`
vpn_signull(NetworkManager_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-dbus/policy/modules/services/ntp.if
--- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.if 2011-01-23 22:00:15.105143406 +0100
@@ -163,3 +163,62 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
')
+
+########################################
+## <summary>
+## Send a dbus message to ntpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_send',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## ntpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to dbus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-dbus/policy/modules/services/ntp.te
--- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.te 2011-01-23 22:00:15.106143567 +0100
@@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
+ avahi_dbus_send(ntpd_t)
+')
+
+optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
optional_policy(`
+ ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
gpsd_rw_shm(ntpd_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if 2011-01-23 22:00:15.107143728 +0100
@@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## setroubleshoot over dbus.
## </summary>
@@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot fixit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
-## setroubleshoot over dbus.
+## setroubleshoot fixit over dbus.
## </summary>
## <param name="domain">
## <summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te 2011-01-23 22:00:15.120145817 +0100
@@ -125,12 +125,20 @@ optional_policy(`
')
optional_policy(`
+ logging_dbus_send_dispatcher(setroubleshootd_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(setroubleshootd_t)
+')
+
########################################
#
# setroubleshoot_fixit local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-dbus/policy/modules/services/xserver.if
--- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.if 2011-01-23 22:00:15.121145978 +0100
@@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Send a dbus message to xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_send',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_chat',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-dbus/policy/modules/services/xserver.te
--- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.te 2011-01-23 22:00:15.126146783 +0100
@@ -508,6 +508,10 @@ optional_policy(`
')
optional_policy(`
+ avahi_dbus_send(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
')
@@ -516,12 +520,25 @@ optional_policy(`
')
optional_policy(`
+ cpufreqselector_dbus_send(xdm_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(xdm_t)
+ devicekit_dbus_send_power(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ hal_dbus_send(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -539,10 +556,18 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_send(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
+ setroubleshoot_dbus_send(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
--- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
@@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
########################################
## <summary>
+## Send a dbus message to the audit
+## dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_send_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the audit dispatcher over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_chat_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+ allow audisp_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Manage the auditd configuration files.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
--- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
+++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
@@ -246,6 +246,10 @@ optional_policy(`
dbus_system_bus_client(audisp_t)
')
+optional_policy(`
+ setroubleshoot_dbus_send(audisp_t)
+')
+
########################################
#
# Audit remote logger local policy
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
2011-01-24 0:43 [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy Guido Trentalancia
@ 2011-01-24 14:24 ` Dominick Grift
2011-01-31 18:52 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2011-01-24 14:24 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
> @@ -1 +1,42 @@
> ## <summary>Command-line CPU frequency settings.</summary>
> +
> +########################################
> +## <summary>
> +## Send a dbus message to
> +## cpufreq-selector.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cpufreqselector_dbus_send',`
> + gen_require(`
> + type cpufreqselector_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 cpufreqselector_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## cpufreq-selector over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cpufreqselector_dbus_chat',`
> + gen_require(`
> + type cpufreqselector_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 cpufreqselector_t:dbus send_msg;
> + allow cpufreqselector_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te
> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.te 2011-01-08 19:07:21.177731088 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.te 2011-01-23 22:00:15.085140190 +0100
> @@ -50,3 +50,7 @@ optional_policy(`
> policykit_read_lib(cpufreqselector_t)
> policykit_read_reload(cpufreqselector_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(cpufreqselector_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-dbus/policy/modules/services/avahi.if
> --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.if 2011-01-23 22:00:15.086140351 +0100
> @@ -75,6 +75,25 @@ interface(`avahi_signull',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to avahi.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`avahi_dbus_send',`
> + gen_require(`
> + type avahi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 avahi_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## avahi over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-dbus/policy/modules/services/avahi.te
> --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/avahi.te 2011-01-23 22:00:15.087140512 +0100
> @@ -104,9 +104,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_dbus_send(avahi_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(avahi_t)
> ')
>
> optional_policy(`
> udev_read_db(avahi_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(avahi_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if
> --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/consolekit.if 2011-01-23 22:00:15.089140834 +0100
> @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## consolekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_dbus_send',`
> + gen_require(`
> + type consolekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 consolekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## consolekit over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-dbus/policy/modules/services/dbus.te
> --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 22:01:53.627052747 +0100
> @@ -141,6 +141,27 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + cpufreqselector_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(system_dbusd_t)
> + devicekit_dbus_send_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + ntp_dbus_chat(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> @@ -154,6 +175,10 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_chat(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Unconfined access to this module
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.if 2011-01-23 22:06:30.631464531 +0100
> @@ -39,6 +39,44 @@ interface(`devicekit_dgram_send',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send',`
> + gen_require(`
> + type devicekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to devicekit disk.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_disk',`
> + gen_require(`
> + type devicekit_disk_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_disk_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit over dbus.
> ## </summary>
> @@ -98,6 +136,25 @@ interface(`devicekit_signal_power',`
> ')
>
> ########################################
> +## <summary>
> +## Send a dbus message to devicekit power.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_power',`
> + gen_require(`
> + type devicekit_power_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_power_t:dbus send_msg;
> +')
> +
> +########################################
> ## <summary>
> ## Send and receive messages from
> ## devicekit power over dbus.
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/devicekit.te 2011-01-23 22:00:15.100142603 +0100
> @@ -178,6 +178,10 @@ optional_policy(`
> virt_manage_images(devicekit_disk_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_disk_t)
> +')
> +
> ########################################
> #
> # DeviceKit-Power local policy
> @@ -282,3 +286,7 @@ optional_policy(`
> optional_policy(`
> vbetool_domtrans(devicekit_power_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_power_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-dbus/policy/modules/services/hal.te
> --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/hal.te 2011-01-23 22:00:15.102142923 +0100
> @@ -338,6 +338,10 @@ optional_policy(`
> virt_manage_images(hald_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(hald_t)
> +')
> +
> ########################################
> #
> # Hal acl local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.if 2011-01-23 22:00:15.103143084 +0100
> @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
>
> ########################################
> ## <summary>
> +## Send a dbus message to NetworkManager.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`networkmanager_dbus_send',`
> + gen_require(`
> + type NetworkManager_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 NetworkManager_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## NetworkManager over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/networkmanager.te 2011-01-23 22:00:15.104143245 +0100
> @@ -265,6 +265,10 @@ optional_policy(`
> vpn_signull(NetworkManager_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(NetworkManager_t)
> +')
> +
> ########################################
> #
> # wpa_cli local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-dbus/policy/modules/services/ntp.if
> --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.if 2011-01-23 22:00:15.105143406 +0100
> @@ -163,3 +163,62 @@ interface(`ntp_admin',`
> files_list_pids($1)
> admin_pattern($1, ntpd_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to ntpd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_send',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## ntpd over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to dbus using a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_stream_connect',`
> + gen_require(`
> + type system_dbusd_t, system_dbusd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-dbus/policy/modules/services/ntp.te
> --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/ntp.te 2011-01-23 22:00:15.106143567 +0100
> @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
> userdom_list_user_home_dirs(ntpd_t)
>
> optional_policy(`
> + avahi_dbus_send(ntpd_t)
> +')
> +
> +optional_policy(`
> # for cron jobs
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
>
> optional_policy(`
> + ntp_dbus_stream_connect(ntpd_t)
> +')
> +
> +optional_policy(`
> gpsd_rw_shm(ntpd_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.if 2011-01-23 22:00:15.107143728 +0100
> @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send',`
> + gen_require(`
> + type setroubleshootd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshootd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## setroubleshoot over dbus.
> ## </summary>
> @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot fixit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send_fixit',`
> + gen_require(`
> + type setroubleshoot_fixit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshoot_fixit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> -## setroubleshoot over dbus.
> +## setroubleshoot fixit over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/setroubleshoot.te 2011-01-23 22:00:15.120145817 +0100
> @@ -125,12 +125,20 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_dbus_send_dispatcher(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> rpm_signull(setroubleshootd_t)
> rpm_read_db(setroubleshootd_t)
> rpm_dontaudit_manage_db(setroubleshootd_t)
> rpm_use_script_fds(setroubleshootd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(setroubleshootd_t)
> +')
> +
> ########################################
> #
> # setroubleshoot_fixit local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-dbus/policy/modules/services/xserver.if
> --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.if 2011-01-23 22:00:15.121145978 +0100
> @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_send',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_chat',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> + allow xdm_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-dbus/policy/modules/services/xserver.te
> --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/services/xserver.te 2011-01-23 22:00:15.126146783 +0100
> @@ -508,6 +508,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + avahi_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> consolekit_dbus_chat(xdm_t)
> ')
>
> @@ -516,12 +520,25 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cpufreqselector_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(xdm_t)
> + devicekit_dbus_send_power(xdm_t)
> +')
> +
> +optional_policy(`
> # Talk to the console mouse server.
> gpm_stream_connect(xdm_t)
> gpm_setattr_gpmctl(xdm_t)
> ')
>
> optional_policy(`
> + hal_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> hostname_exec(xdm_t)
> ')
>
> @@ -539,10 +556,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> resmgr_stream_connect(xdm_t)
> ')
>
> optional_policy(`
> + setroubleshoot_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(xdm_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>
> ########################################
> ## <summary>
> +## Send a dbus message to the audit
> +## dispatcher.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_send_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> +')
Not required use logging_dbus_chat_audisp()
Although i doubt that audisp has dbus functionality at all in the first
place. (i may well be wrong)
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the audit dispatcher over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_chat_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> + allow audisp_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Manage the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
> @@ -246,6 +246,10 @@ optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
>
> +optional_policy(`
> + setroubleshoot_dbus_send(audisp_t)
> +')
This should take care of chatting to audisp_t so the logging interfaces
above may no longer be needed.
I would have used setroubleshoot_dbus_chat() though
> +
> ########################################
> #
> # Audit remote logger local policy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09i7UACgkQMlxVo39jgT+cUQCdHMSGVR5jlCuUUm2m4CYUk2Fg
0WgAoMIlhCedmNrZsRVtFFJKi1JRJKh0
=sFuj
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
2011-01-24 14:24 ` Dominick Grift
@ 2011-01-31 18:52 ` Christopher J. PeBenito
2011-01-31 23:15 ` Guido Trentalancia
0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2011-01-31 18:52 UTC (permalink / raw)
To: refpolicy
On 1/24/2011 9:24 AM, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
Please include descriptions on each of your patches. The subject is
definitely insufficient. I guess this is all the dbus changes you
suggest? More
>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
>> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
>> @@ -1 +1,42 @@
>> ##<summary>Command-line CPU frequency settings.</summary>
>> +
[cut]
>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
>> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
>> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>>
>> ########################################
>> ##<summary>
>> +## Send a dbus message to the audit
>> +## dispatcher.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +## Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_send_dispatcher',`
>> + gen_require(`
>> + type audisp_t;
>> + class dbus send_msg;
>> + ')
>> +
>> + allow $1 audisp_t:dbus send_msg;
>> +')
>
>
> Not required use logging_dbus_chat_audisp()
>
> Although i doubt that audisp has dbus functionality at all in the first
> place. (i may well be wrong)
I believe the purpose of this dbus functionality is for auditd to send
(via audisp) a message to setroubleshoot when there is a denial.
>> +########################################
>> +##<summary>
>> +## Send and receive messages from
>> +## the audit dispatcher over dbus.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +## Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_chat_dispatcher',`
>> + gen_require(`
>> + type audisp_t;
>> + class dbus send_msg;
>> + ')
>> +
>> + allow $1 audisp_t:dbus send_msg;
>> + allow audisp_t $1:dbus send_msg;
>> +')
>> +
>> +########################################
>> +##<summary>
>> ## Manage the auditd configuration files.
>> ##</summary>
>> ##<param name="domain">
>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
>> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
>> @@ -246,6 +246,10 @@ optional_policy(`
>> dbus_system_bus_client(audisp_t)
>> ')
>>
>> +optional_policy(`
>> + setroubleshoot_dbus_send(audisp_t)
>> +')
>
> This should take care of chatting to audisp_t so the logging interfaces
> above may no longer be needed.
>
> I would have used setroubleshoot_dbus_chat() though
Its unclear, though I would think that send would be sufficient. I
don't see a need for there to be a response to audisp.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
2011-01-31 18:52 ` Christopher J. PeBenito
@ 2011-01-31 23:15 ` Guido Trentalancia
[not found] ` <4D48132F.7070705@tresys.com>
2011-02-03 0:18 ` Martin Orr
0 siblings, 2 replies; 8+ messages in thread
From: Guido Trentalancia @ 2011-01-31 23:15 UTC (permalink / raw)
To: refpolicy
Hello again Christopher !
On Mon, 31/01/2011 at 13.52 -0500, Christopher J. PeBenito wrote:
> On 1/24/2011 9:24 AM, Dominick Grift wrote:
> > On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>
> Please include descriptions on each of your patches. The subject is
> definitely insufficient. I guess this is all the dbus changes you
> suggest? More
The DBus send_msg issue is the probably the main change introduced by
the set of patches that I am proposing.
The issue is very wide and needs careful approval. It's not limited to
this [2/19] patch/thread at all. It is mainly a style issue, but it's an
important one.
In my reply to [0/19] I have pointed out a few threads where such issue
has been discussed more extensively between me and Dominick, because we
kept having different point of views and none of us managed to
definitely persuade the other !
In any case, [2/19] and [8/19] are perhaps the most relevant places
where you can provide a definite direction on this (in short, can we
really talk about an hypothetical DBus "chat" throughout all refpolicy
and model interfaces accordingly to such assumption when on the other
hand the elementary data-flow in DBus is constituted by a
uni-directional message called "signal" ?).
Thanks again for your support and for your time.
Best regards,
Guido
> >> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
> >> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
> >> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if 2011-01-23 22:00:15.084140029 +0100
> >> @@ -1 +1,42 @@
> >> ##<summary>Command-line CPU frequency settings.</summary>
> >> +
> [cut]
>
> >> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
> >> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> >> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if 2011-01-23 22:00:15.130147425 +0100
> >> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
> >>
> >> ########################################
> >> ##<summary>
> >> +## Send a dbus message to the audit
> >> +## dispatcher.
> >> +##</summary>
> >> +##<param name="domain">
> >> +##<summary>
> >> +## Domain allowed access.
> >> +##</summary>
> >> +##</param>
> >> +#
> >> +interface(`logging_dbus_send_dispatcher',`
> >> + gen_require(`
> >> + type audisp_t;
> >> + class dbus send_msg;
> >> + ')
> >> +
> >> + allow $1 audisp_t:dbus send_msg;
> >> +')
> >
> >
> > Not required use logging_dbus_chat_audisp()
> >
> > Although i doubt that audisp has dbus functionality at all in the first
> > place. (i may well be wrong)
>
> I believe the purpose of this dbus functionality is for auditd to send
> (via audisp) a message to setroubleshoot when there is a denial.
>
> >> +########################################
> >> +##<summary>
> >> +## Send and receive messages from
> >> +## the audit dispatcher over dbus.
> >> +##</summary>
> >> +##<param name="domain">
> >> +##<summary>
> >> +## Domain allowed access.
> >> +##</summary>
> >> +##</param>
> >> +#
> >> +interface(`logging_dbus_chat_dispatcher',`
> >> + gen_require(`
> >> + type audisp_t;
> >> + class dbus send_msg;
> >> + ')
> >> +
> >> + allow $1 audisp_t:dbus send_msg;
> >> + allow audisp_t $1:dbus send_msg;
> >> +')
> >> +
> >> +########################################
> >> +##<summary>
> >> ## Manage the auditd configuration files.
> >> ##</summary>
> >> ##<param name="domain">
> >> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
> >> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> >> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te 2011-01-23 22:00:15.134148069 +0100
> >> @@ -246,6 +246,10 @@ optional_policy(`
> >> dbus_system_bus_client(audisp_t)
> >> ')
> >>
> >> +optional_policy(`
> >> + setroubleshoot_dbus_send(audisp_t)
> >> +')
> >
> > This should take care of chatting to audisp_t so the logging interfaces
> > above may no longer be needed.
> >
> > I would have used setroubleshoot_dbus_chat() though
>
> Its unclear, though I would think that send would be sufficient. I
> don't see a need for there to be a response to audisp.
>
^ permalink raw reply [flat|nested] 8+ messages in thread[parent not found: <4D48132F.7070705@tresys.com>]
* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
[not found] ` <4D48132F.7070705@tresys.com>
@ 2011-02-01 20:03 ` Guido Trentalancia
[not found] ` <4D48649C.70000@tresys.com>
0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2011-02-01 20:03 UTC (permalink / raw)
To: refpolicy
Hello Christopher !
On Tue, 01/02/2011 at 09.05 -0500, Christopher J. PeBenito wrote:
> On 01/31/11 18:15, Guido Trentalancia wrote:
> > Hello again Christopher !
> >
> > On Mon, 31/01/2011 at 13.52 -0500, Christopher J. PeBenito wrote:
> >> On 1/24/2011 9:24 AM, Dominick Grift wrote:
> >>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>
> >> Please include descriptions on each of your patches. The subject is
> >> definitely insufficient. I guess this is all the dbus changes you
> >> suggest? More
> >
> > The DBus send_msg issue is the probably the main change introduced by
> > the set of patches that I am proposing.
> >
> > The issue is very wide and needs careful approval. It's not limited to
> > this [2/19] patch/thread at all. It is mainly a style issue, but it's an
> > important one.
> >
> > In my reply to [0/19] I have pointed out a few threads where such issue
> > has been discussed more extensively between me and Dominick, because we
> > kept having different point of views and none of us managed to
> > definitely persuade the other !
> >
> > In any case, [2/19] and [8/19] are perhaps the most relevant places
> > where you can provide a definite direction on this (in short, can we
> > really talk about an hypothetical DBus "chat" throughout all refpolicy
> > and model interfaces accordingly to such assumption when on the other
> > hand the elementary data-flow in DBus is constituted by a
> > uni-directional message called "signal" ?).
>
> There already is an established verb for unidirectional dbus messaging:
> send. See unconfined_dbus_send() for an example. If there is
> unidirectional messaging, the policy should reflect that.
Yes, unconfined_dbus_send() can be used in the context of the unconfined
domain.
But then there are many other circumstances where DBus messaging needs
to take place. My original dbus-messaging patch ([2/19]) contains
several examples of where this appears to be needed.
I prefer to grant two distinct and separate uni-directional send_msg
permissions in the two relevant modules anyway (even in the case of
bi-directional messaging).
Therefore, I have always created new *_dbus_send() interfaces even where
*_dbus_chat() interfaces were present (and could in theory be used).
What do you think ?
Regards,
Guido
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
2011-01-31 23:15 ` Guido Trentalancia
[not found] ` <4D48132F.7070705@tresys.com>
@ 2011-02-03 0:18 ` Martin Orr
2011-02-03 21:43 ` Guido Trentalancia
1 sibling, 1 reply; 8+ messages in thread
From: Martin Orr @ 2011-02-03 0:18 UTC (permalink / raw)
To: refpolicy
On Mon 31 Jan 23:15:14 2011, Guido Trentalancia wrote:
> The DBus send_msg issue is the probably the main change introduced by
> the set of patches that I am proposing.
>
> The issue is very wide and needs careful approval. It's not limited to
> this [2/19] patch/thread at all. It is mainly a style issue, but it's an
> important one.
>
> In any case, [2/19] and [8/19] are perhaps the most relevant places
> where you can provide a definite direction on this (in short, can we
> really talk about an hypothetical DBus "chat" throughout all refpolicy
> and model interfaces accordingly to such assumption when on the other
> hand the elementary data-flow in DBus is constituted by a
> uni-directional message called "signal" ?).
I think that it is often better to think about "chats". Often one
process A (e.g. consolekit or setroubleshoot) provides a service which
many other processes B can use by sending a DBus message to A. A only
sends messages to B after getting messages from B.
In this case, I think it is likely to be more maintainable if each
module B uses A_dbus_chat, instead of putting a big list of all the
possible B into module A. I do not care strongly about it however.
--
Martin Orr
^ permalink raw reply [flat|nested] 8+ messages in thread* [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
2011-02-03 0:18 ` Martin Orr
@ 2011-02-03 21:43 ` Guido Trentalancia
0 siblings, 0 replies; 8+ messages in thread
From: Guido Trentalancia @ 2011-02-03 21:43 UTC (permalink / raw)
To: refpolicy
Hello Martin !
On Thu, 03/02/2011 alle 00.18 +0000, Martin Orr wrote:
> On Mon 31 Jan 23:15:14 2011, Guido Trentalancia wrote:
> > The DBus send_msg issue is the probably the main change introduced by
> > the set of patches that I am proposing.
> >
> > The issue is very wide and needs careful approval. It's not limited to
> > this [2/19] patch/thread at all. It is mainly a style issue, but it's an
> > important one.
> >
> > In any case, [2/19] and [8/19] are perhaps the most relevant places
> > where you can provide a definite direction on this (in short, can we
> > really talk about an hypothetical DBus "chat" throughout all refpolicy
> > and model interfaces accordingly to such assumption when on the other
> > hand the elementary data-flow in DBus is constituted by a
> > uni-directional message called "signal" ?).
>
> I think that it is often better to think about "chats". Often one
> process A (e.g. consolekit or setroubleshoot) provides a service which
> many other processes B can use by sending a DBus message to A. A only
> sends messages to B after getting messages from B.
>
> In this case, I think it is likely to be more maintainable if each
> module B uses A_dbus_chat, instead of putting a big list of all the
> possible B into module A. I do not care strongly about it however.
Yes, it is possible to do it that way if the majority of people prefer
it like that.
Any other technical comment ? So far I have only applied some
improvements from Dominick Grift. If you think there is something else
to improve please let me know as I am waiting for further comments.
Thanks for your time !
Regards,
Guido
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-02-03 21:43 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-24 0:43 [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:24 ` Dominick Grift
2011-01-31 18:52 ` Christopher J. PeBenito
2011-01-31 23:15 ` Guido Trentalancia
[not found] ` <4D48132F.7070705@tresys.com>
2011-02-01 20:03 ` Guido Trentalancia
[not found] ` <4D48649C.70000@tresys.com>
2011-02-01 20:59 ` Guido Trentalancia
2011-02-03 0:18 ` Martin Orr
2011-02-03 21:43 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.