From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 26 Sep 2013 10:25:51 -0400 Subject: [refpolicy] [PATCH 03/20] Unconfined domains have unconfined access to all of dbus rather than only system bus In-Reply-To: <1380029951-24934-1-git-send-email-dominick.grift@gmail.com> References: <1380029951-24934-1-git-send-email-dominick.grift@gmail.com> Message-ID: <524443EF.2030402@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue 24 Sep 2013 09:39:11 AM EDT, Dominick Grift wrote: > unconfined: unconfined_t is real-time scheduled by rtkit > > Signed-off-by: Dominick Grift > --- > policy/modules/system/unconfined.if | 3 +-- > policy/modules/system/unconfined.te | 49 ++++++------------------------------- > 2 files changed, 9 insertions(+), 43 deletions(-) > > diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if > index db7aabb..5ca20a9 100644 > --- a/policy/modules/system/unconfined.if > +++ b/policy/modules/system/unconfined.if > @@ -67,8 +67,7 @@ interface(`unconfined_domain_noaudit',` > ') > > optional_policy(` > - # Communicate via dbusd. > - dbus_system_bus_unconfined($1) > + dbus_unconfined($1) > ') > > optional_policy(` > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > index 0280b32..15ed47d 100644 > --- a/policy/modules/system/unconfined.te > +++ b/policy/modules/system/unconfined.te > @@ -76,40 +76,6 @@ optional_policy(` > ') > > optional_policy(` > - init_dbus_chat_script(unconfined_t) > - > - dbus_stub(unconfined_t) > - > - optional_policy(` > - avahi_dbus_chat(unconfined_t) > - ') > - > - optional_policy(` > - bluetooth_dbus_chat(unconfined_t) > - ') > - > - optional_policy(` > - consolekit_dbus_chat(unconfined_t) > - ') > - > - optional_policy(` > - cups_dbus_chat_config(unconfined_t) > - ') > - > - optional_policy(` > - hal_dbus_chat(unconfined_t) > - ') > - > - optional_policy(` > - networkmanager_dbus_chat(unconfined_t) > - ') > - > - optional_policy(` > - oddjob_dbus_chat(unconfined_t) > - ') > -') > - > -optional_policy(` > firstboot_run(unconfined_t, unconfined_r) > ') > > @@ -179,6 +145,10 @@ optional_policy(` > ') > > optional_policy(` > + rtkit_scheduled(unconfined_t) > +') > + > +optional_policy(` > rpm_run(unconfined_t, unconfined_r) > ') > > @@ -201,6 +171,10 @@ optional_policy(` > ') > > optional_policy(` > + unconfined_dbus_chat(unconfined_t) > +') > + > +optional_policy(` > usermanage_run_admin_passwd(unconfined_t, unconfined_r) > ') > > @@ -229,12 +203,5 @@ allow unconfined_execmem_t self:process { execstack execmem }; > unconfined_domain_noaudit(unconfined_execmem_t) > > optional_policy(` > - dbus_stub(unconfined_execmem_t) > - > - init_dbus_chat_script(unconfined_execmem_t) > unconfined_dbus_chat(unconfined_execmem_t) > - > - optional_policy(` > - hal_dbus_chat(unconfined_execmem_t) > - ') > ') Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com