* [refpolicy] [PATCH 03/20] Unconfined domains have unconfined access to all of dbus rather than only system bus
@ 2013-09-24 13:39 Dominick Grift
2013-09-26 14:25 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2013-09-24 13:39 UTC (permalink / raw)
To: refpolicy
unconfined: unconfined_t is real-time scheduled by rtkit
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/unconfined.if | 3 +--
policy/modules/system/unconfined.te | 49 ++++++-------------------------------
2 files changed, 9 insertions(+), 43 deletions(-)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index db7aabb..5ca20a9 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -67,8 +67,7 @@ interface(`unconfined_domain_noaudit',`
')
optional_policy(`
- # Communicate via dbusd.
- dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 0280b32..15ed47d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -76,40 +76,6 @@ optional_policy(`
')
optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
-')
-
-optional_policy(`
firstboot_run(unconfined_t, unconfined_r)
')
@@ -179,6 +145,10 @@ optional_policy(`
')
optional_policy(`
+ rtkit_scheduled(unconfined_t)
+')
+
+optional_policy(`
rpm_run(unconfined_t, unconfined_r)
')
@@ -201,6 +171,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
usermanage_run_admin_passwd(unconfined_t, unconfined_r)
')
@@ -229,12 +203,5 @@ allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
- init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
-
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 03/20] Unconfined domains have unconfined access to all of dbus rather than only system bus
2013-09-24 13:39 [refpolicy] [PATCH 03/20] Unconfined domains have unconfined access to all of dbus rather than only system bus Dominick Grift
@ 2013-09-26 14:25 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2013-09-26 14:25 UTC (permalink / raw)
To: refpolicy
On Tue 24 Sep 2013 09:39:11 AM EDT, Dominick Grift wrote:
> unconfined: unconfined_t is real-time scheduled by rtkit
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/unconfined.if | 3 +--
> policy/modules/system/unconfined.te | 49 ++++++-------------------------------
> 2 files changed, 9 insertions(+), 43 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index db7aabb..5ca20a9 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -67,8 +67,7 @@ interface(`unconfined_domain_noaudit',`
> ')
>
> optional_policy(`
> - # Communicate via dbusd.
> - dbus_system_bus_unconfined($1)
> + dbus_unconfined($1)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 0280b32..15ed47d 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,40 +76,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - init_dbus_chat_script(unconfined_t)
> -
> - dbus_stub(unconfined_t)
> -
> - optional_policy(`
> - avahi_dbus_chat(unconfined_t)
> - ')
> -
> - optional_policy(`
> - bluetooth_dbus_chat(unconfined_t)
> - ')
> -
> - optional_policy(`
> - consolekit_dbus_chat(unconfined_t)
> - ')
> -
> - optional_policy(`
> - cups_dbus_chat_config(unconfined_t)
> - ')
> -
> - optional_policy(`
> - hal_dbus_chat(unconfined_t)
> - ')
> -
> - optional_policy(`
> - networkmanager_dbus_chat(unconfined_t)
> - ')
> -
> - optional_policy(`
> - oddjob_dbus_chat(unconfined_t)
> - ')
> -')
> -
> -optional_policy(`
> firstboot_run(unconfined_t, unconfined_r)
> ')
>
> @@ -179,6 +145,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + rtkit_scheduled(unconfined_t)
> +')
> +
> +optional_policy(`
> rpm_run(unconfined_t, unconfined_r)
> ')
>
> @@ -201,6 +171,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_chat(unconfined_t)
> +')
> +
> +optional_policy(`
> usermanage_run_admin_passwd(unconfined_t, unconfined_r)
> ')
>
> @@ -229,12 +203,5 @@ allow unconfined_execmem_t self:process { execstack execmem };
> unconfined_domain_noaudit(unconfined_execmem_t)
>
> optional_policy(`
> - dbus_stub(unconfined_execmem_t)
> -
> - init_dbus_chat_script(unconfined_execmem_t)
> unconfined_dbus_chat(unconfined_execmem_t)
> -
> - optional_policy(`
> - hal_dbus_chat(unconfined_execmem_t)
> - ')
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-09-26 14:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-24 13:39 [refpolicy] [PATCH 03/20] Unconfined domains have unconfined access to all of dbus rather than only system bus Dominick Grift
2013-09-26 14:25 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.