commit: f357fdca811ff027a972abe90b8f48622ada5f69
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Jul 24 12:45:04 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 21:59:08 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f357fdca
dbus (#980)
* Some small dbus changes. Allow using logind fds (for systemd-logind opening
files and passing them to sessions). Add some more tunable policy for
dbus-broker
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/bluetooth.if | 38 ++++++++++++++++++++++++++++++++++++
policy/modules/services/dbus.te | 28 +++++++++++++++++++++++++-
policy/modules/services/rtkit.if | 38 ++++++++++++++++++++++++++++++++++++
3 files changed, 103 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/bluetooth.if
b/policy/modules/services/bluetooth.if
index bc3a72c15..99788f727 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -255,3 +255,41 @@ interface(`bluetooth_admin',`
files_list_runtime($1)
admin_pattern($1, bluetooth_runtime_t)
')
+
+########################################
+## <summary>
+## Get status of bluetooth_unit_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_service_status',`
+ gen_require(`
+ type bluetooth_unit_t;
+ class service { status };
+ ')
+
+ allow $1 bluetooth_unit_t:service status;
+')
+
+########################################
+## <summary>
+## start bluetooth service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_service_start',`
+ gen_require(`
+ type bluetooth_unit_t;
+ class service { start };
+ ')
+
+ allow $1 bluetooth_unit_t:service start;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index a65dbce7b..075b06eed 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -92,12 +92,16 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 -
mls_systemhigh)
')
+optional_policy(`
+ systemd_use_logind_fds(system_dbusd_t)
+')
+
########################################
#
# Local policy
#
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid
sys_resource };
+allow system_dbusd_t self:capability { dac_override kill setgid setpcap setuid
sys_resource };
# net_admin for changing buffer sizes
dontaudit system_dbusd_t self:capability { net_admin sys_tty_config };
allow system_dbusd_t self:process { getattr getcap getsched setcap setpgid
setrlimit signal_perms };
@@ -171,6 +175,7 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
+init_read_runtime_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
@@ -228,6 +233,8 @@ ifdef(`init_systemd', `
tunable_policy(`dbus_broker_system_bus',`
init_get_system_status(system_dbusd_t)
+ init_get_generic_units_status(system_dbusd_t)
+ init_start_generic_units(system_dbusd_t)
')
')
@@ -259,6 +266,15 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`dbus_broker_system_bus',`
+ rtkit_service_start(system_dbusd_t)
+ rtkit_service_status(system_dbusd_t)
+ ')
+')
+
+optional_policy(`
+ systemd_connect_machined(system_dbusd_t)
+
# for /run/systemd/users/*
systemd_read_logind_runtime_files(system_dbusd_t)
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
@@ -270,11 +286,19 @@ optional_policy(`
# allow populating of /var/lib/dbus by systemd-tmpfilesd
systemd_tmpfilesd_managed(system_dbusd_var_lib_t)
+ tunable_policy(`dbus_broker_system_bus',`
+ systemd_start_power_units(system_dbusd_t)
+ systemd_status_power_units(system_dbusd_t)
+ ')
')
optional_policy(`
bluetooth_use(system_dbusd_t)
bluetooth_use_inherited_helper_stream_sockets(system_dbusd_t)
+ tunable_policy(`dbus_broker_system_bus',`
+ bluetooth_service_status(system_dbusd_t)
+ bluetooth_service_start(system_dbusd_t)
+ ')
')
optional_policy(`
@@ -355,6 +379,7 @@ fs_getattr_romfs(session_bus_type)
fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
+fs_search_tmpfs(session_bus_type)
kernel_getattr_proc(session_bus_type)
@@ -364,6 +389,7 @@ selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
selinux_compute_relabel_context(session_bus_type)
selinux_compute_user_contexts(session_bus_type)
+selinux_use_status_page(session_bus_type)
auth_read_pam_console_data(session_bus_type)
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
index 468fb34e1..dd0e003c6 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -92,3 +92,41 @@ interface(`rtkit_admin',`
init_startstop_service($1, $2, rtkit_daemon_t,
rtkit_daemon_initrc_exec_t)
')
+
+########################################
+## <summary>
+## Get status of rtkit_daemon_unit_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtkit_service_status',`
+ gen_require(`
+ type rtkit_daemon_unit_t;
+ class service { status };
+ ')
+
+ allow $1 rtkit_daemon_unit_t:service status;
+')
+
+########################################
+## <summary>
+## start rtkit daemon service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtkit_service_start',`
+ gen_require(`
+ type rtkit_daemon_unit_t;
+ class service { start };
+ ')
+
+ allow $1 rtkit_daemon_unit_t:service start;
+')
