[PATCH] dbus: remove deprecated at

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] dbus: remove deprecated at_console statement
@ 2018-11-16 12:25 Petr Lautrbach
  2018-11-21 13:48 ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2018-11-16 12:25 UTC (permalink / raw)
  To: selinux; +Cc: Tom Gundersen, David Herrmann

From: Tom Gundersen <teg@jklm.no>

As described in [0], this likely did not have the intended effect, so
simply remove it. The change in behavior is that up until this patch
it would be possible for any non-system user to potentially gain access
to selinux' dbus interface. Now this is extended to also allow any
system user.

As the comment indicates, PolicyKit is used to enforce access, so this
should be perfectly harmless.

[0]: <https://www.spinics.net/lists/linux-bluetooth/msg75267.html>

Signed-off-by: Tom Gundersen <teg@jklm.no>
CC: David Herrmann <dh.herrmann@gmail.com>
---

This patch is from PR 113 - https://github.com/SELinuxProject/selinux/pull/113

 dbus/org.selinux.conf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/dbus/org.selinux.conf b/dbus/org.selinux.conf
index a3509781..1ae079d2 100644
--- a/dbus/org.selinux.conf
+++ b/dbus/org.selinux.conf
@@ -12,12 +12,8 @@
 
   <!-- Allow anyone to invoke methods on the interfaces,
        authorization is performed by PolicyKit -->
-  <policy at_console="true">
-    <allow send_destination="org.selinux"/>
-  </policy>
   <policy context="default">
-    <allow send_destination="org.selinux"
-	   send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.selinux"/>
   </policy>
 
 </busconfig>
-- 
2.19.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] dbus: remove deprecated at_console statement
  2018-11-16 12:25 [PATCH] dbus: remove deprecated at_console statement Petr Lautrbach
@ 2018-11-21 13:48 ` Petr Lautrbach
  2018-11-22  9:47   ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2018-11-21 13:48 UTC (permalink / raw)
  To: selinux; +Cc: Tom Gundersen, David Herrmann

> From: Tom Gundersen <teg@jklm.no>
>
> As described in [0], this likely did not have the intended effect, so
> simply remove it. The change in behavior is that up until this patch
> it would be possible for any non-system user to potentially gain access
> to selinux' dbus interface. Now this is extended to also allow any
> system user.
>
> As the comment indicates, PolicyKit is used to enforce access, so this
> should be perfectly harmless.
>
> [0]: <https://www.spinics.net/lists/linux-bluetooth/msg75267.html>
>
> Signed-off-by: Tom Gundersen <teg@jklm.no>
> CC: David Herrmann <dh.herrmann@gmail.com>

Acked-by: Petr Lautrbach <plautrba@redhat.com>

> ---
>
> This patch is from PR 113 - https://github.com/SELinuxProject/selinux/pull/113
>
>  dbus/org.selinux.conf | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/dbus/org.selinux.conf b/dbus/org.selinux.conf
> index a3509781..1ae079d2 100644
> --- a/dbus/org.selinux.conf
> +++ b/dbus/org.selinux.conf
> @@ -12,12 +12,8 @@
>  
>    <!-- Allow anyone to invoke methods on the interfaces,
>         authorization is performed by PolicyKit -->
> -  <policy at_console="true">
> -    <allow send_destination="org.selinux"/>
> -  </policy>
>    <policy context="default">
> -    <allow send_destination="org.selinux"
> -	   send_interface="org.freedesktop.DBus.Introspectable"/>
> +    <allow send_destination="org.selinux"/>
>    </policy>
>  
>  </busconfig>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] dbus: remove deprecated at_console statement
  2018-11-21 13:48 ` Petr Lautrbach
@ 2018-11-22  9:47   ` Petr Lautrbach
  0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2018-11-22  9:47 UTC (permalink / raw)
  To: selinux; +Cc: Tom Gundersen, David Herrmann

Petr Lautrbach <plautrba@redhat.com> writes:

>> From: Tom Gundersen <teg@jklm.no>
>>
>> As described in [0], this likely did not have the intended effect, so
>> simply remove it. The change in behavior is that up until this patch
>> it would be possible for any non-system user to potentially gain access
>> to selinux' dbus interface. Now this is extended to also allow any
>> system user.
>>
>> As the comment indicates, PolicyKit is used to enforce access, so this
>> should be perfectly harmless.
>>
>> [0]: <https://www.spinics.net/lists/linux-bluetooth/msg75267.html>
>>
>> Signed-off-by: Tom Gundersen <teg@jklm.no>
>> CC: David Herrmann <dh.herrmann@gmail.com>
>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>

Merged. Thanks!

>> ---
>>
>> This patch is from PR 113 - https://github.com/SELinuxProject/selinux/pull/113
>>
>>  dbus/org.selinux.conf | 6 +-----
>>  1 file changed, 1 insertion(+), 5 deletions(-)
>>
>> diff --git a/dbus/org.selinux.conf b/dbus/org.selinux.conf
>> index a3509781..1ae079d2 100644
>> --- a/dbus/org.selinux.conf
>> +++ b/dbus/org.selinux.conf
>> @@ -12,12 +12,8 @@
>>  
>>    <!-- Allow anyone to invoke methods on the interfaces,
>>         authorization is performed by PolicyKit -->
>> -  <policy at_console="true">
>> -    <allow send_destination="org.selinux"/>
>> -  </policy>
>>    <policy context="default">
>> -    <allow send_destination="org.selinux"
>> -	   send_interface="org.freedesktop.DBus.Introspectable"/>
>> +    <allow send_destination="org.selinux"/>
>>    </policy>
>>  
>>  </busconfig>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-11-22  9:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-16 12:25 [PATCH] dbus: remove deprecated at_console statement Petr Lautrbach
2018-11-21 13:48 ` Petr Lautrbach
2018-11-22  9:47   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.