[refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module
@ 2011-02-16  6:35 Guido Trentalancia
  2011-02-28 14:48 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Guido Trentalancia @ 2011-02-16  6:35 UTC (permalink / raw)
  To: refpolicy

This patch adds self:capability sys_ptrace to the dbus module.

--- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module
  2011-02-16  6:35 [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module Guido Trentalancia
@ 2011-02-28 14:48 ` Christopher J. PeBenito
  2011-02-28 15:31   ` Daniel J Walsh
  2011-02-28 18:30   ` Guido Trentalancia
  0 siblings, 2 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2011-02-28 14:48 UTC (permalink / raw)
  To: refpolicy

On 02/16/11 01:35, Guido Trentalancia wrote:
> This patch adds self:capability sys_ptrace to the dbus module.
> 
> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>  
>  # dac_override: /var/run/dbus is owned by messagebus on Debian
>  # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
>  dontaudit system_dbusd_t self:capability sys_tty_config;
>  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
>  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;

I find this highly questionable.  It needs justification.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module
  2011-02-28 14:48 ` Christopher J. PeBenito
@ 2011-02-28 15:31   ` Daniel J Walsh
  2011-02-28 18:30   ` Guido Trentalancia
  1 sibling, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2011-02-28 15:31 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2011 09:48 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
>> This patch adds self:capability sys_ptrace to the dbus module.
>>
>> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
>> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>>  
>>  # dac_override: /var/run/dbus is owned by messagebus on Debian
>>  # cjp: dac_override should probably go in a distro_debian
>> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
>> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
>>  dontaudit system_dbusd_t self:capability sys_tty_config;
>>  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
>>  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> 
> I find this highly questionable.  It needs justification.
> 

We do not have this in Fedora.  Might be similar to policykit, examining
/proc/PID/cmdline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1rv9cACgkQrlYvE4MpobPFbwCfS+tg0VMnAtOwN8G67WnBPN1J
xX0An1tydi5iEvayHq/QtiZPqLWtSEdf
=nXYv
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module
  2011-02-28 14:48 ` Christopher J. PeBenito
  2011-02-28 15:31   ` Daniel J Walsh
@ 2011-02-28 18:30   ` Guido Trentalancia
  1 sibling, 0 replies; 4+ messages in thread
From: Guido Trentalancia @ 2011-02-28 18:30 UTC (permalink / raw)
  To: refpolicy

Hello Christopher !

On Mon, 28/02/2011 at 09.48 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
> > This patch adds self:capability sys_ptrace to the dbus module.
> > 
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
> > @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
> >  
> >  # dac_override: /var/run/dbus is owned by messagebus on Debian
> >  # cjp: dac_override should probably go in a distro_debian
> > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> >  dontaudit system_dbusd_t self:capability sys_tty_config;
> >  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> >  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> 
> I find this highly questionable.  It needs justification.

After testing with the latest dbus, there are even more:

+ sys_resource in capability
and
+ setrlimit in process.

What's the latest version of dbus that you have tested ?

Regards,

Guido

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-02-28 18:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-16  6:35 [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission to the dbus module Guido Trentalancia
2011-02-28 14:48 ` Christopher J. PeBenito
2011-02-28 15:31   ` Daniel J Walsh
2011-02-28 18:30   ` Guido Trentalancia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.