diff options
| author |   Dave Sugar <dsugar100@gmail.com> | 2024-01-09 09:54:40 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:34 -0400 |
| commit | 455c3fb3eec2b913038bee429343403c81ebe5b2 (patch) | |
| tree | ee61593c703d7e199ebf6d79095e2e5c7dc08ff8 | |
| parent | Update generated policy and doc files (diff) | |
| download | hardened-refpolicy-455c3fb3eec2b913038bee429343403c81ebe5b2.tar.gz hardened-refpolicy-455c3fb3eec2b913038bee429343403c81ebe5b2.tar.bz2 hardened-refpolicy-455c3fb3eec2b913038bee429343403c81ebe5b2.zip | |
Setup domain for dbus selinux interface
The dbus selinux interface comes from policycoreutils-dbus package
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/system/selinuxutil.fc | 3 | ||||
| -rw-r--r-- | policy/modules/system/selinuxutil.if | 21 | ||||
| -rw-r--r-- | policy/modules/system/selinuxutil.te | 23 |
3 files changed, 47 insertions, 0 deletions
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 632628c8..4a41adf6 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -48,6 +48,9 @@ /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) + +/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:selinux_dbus_exec_t,s0) + /usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0) # diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 30db6a09..f4464cc5 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -1,5 +1,26 @@ ## <summary>Policy for SELinux policy and userland applications.</summary> +######################################## +## <summary> +## Send and receive messages from +## selinux semanage dbus interface. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`seutil_semanage_dbus_chat',` + gen_require(` + type selinux_dbus_t; + class dbus send_msg; + ') + + allow $1 selinux_dbus_t:dbus send_msg; + allow selinux_dbus_t $1:dbus send_msg; +') + ####################################### ## <summary> ## Execute checkpolicy in the checkpolicy domain. diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 4d8624c6..6393fadc 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -97,6 +97,10 @@ application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) role run_init_roles types run_init_t; +type selinux_dbus_t; +type selinux_dbus_exec_t; +dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t) + type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) @@ -488,6 +492,25 @@ optional_policy(` ######################################## # +# selinux DBUS local policy +# + +allow selinux_dbus_t self:fifo_file rw_inherited_fifo_file_perms; +allow selinux_dbus_t self:unix_stream_socket create_socket_perms; + +corecmd_exec_bin(selinux_dbus_t) + +files_read_etc_symlinks(selinux_dbus_t) +files_list_usr(selinux_dbus_t) + +policykit_dbus_chat(selinux_dbus_t) + +miscfiles_read_localization(selinux_dbus_t) + +seutil_domtrans_semanage(selinux_dbus_t) + +######################################## +# # semodule local policy # |