From 455c3fb3eec2b913038bee429343403c81ebe5b2 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Tue, 9 Jan 2024 09:54:40 -0500
Subject: Setup domain for dbus selinux interface

The dbus selinux interface comes from policycoreutils-dbus package

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/system/selinuxutil.fc |  3 +++
 policy/modules/system/selinuxutil.if | 21 +++++++++++++++++++++
 policy/modules/system/selinuxutil.te | 23 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 632628c81..4a41adf60 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -48,6 +48,9 @@
 /usr/sbin/setsebool				--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semanage				--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semodule				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+
+/usr/share/system-config-selinux/selinux_server\.py	--	gen_context(system_u:object_r:selinux_dbus_exec_t,s0)
+
 /usr/libexec/selinux/semanage_migrate_store	--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 30db6a094..f4464cc5c 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1,5 +1,26 @@
 ## <summary>Policy for SELinux policy and userland applications.</summary>
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	selinux semanage dbus interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_semanage_dbus_chat',`
+	gen_require(`
+		type selinux_dbus_t;
+		class dbus send_msg;
+	')
+
+	allow $1 selinux_dbus_t:dbus send_msg;
+	allow selinux_dbus_t $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##	Execute checkpolicy in the checkpolicy domain.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4d8624c6b..6393fadcf 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -97,6 +97,10 @@ application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
 role run_init_roles types run_init_t;
 
+type selinux_dbus_t;
+type selinux_dbus_exec_t;
+dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
+
 type semanage_t;
 type semanage_exec_t;
 application_domain(semanage_t, semanage_exec_t)
@@ -486,6 +490,25 @@ optional_policy(`
 	daemontools_domtrans_start(run_init_t)
 ')
 
+########################################
+#
+# selinux DBUS local policy
+#
+
+allow selinux_dbus_t self:fifo_file rw_inherited_fifo_file_perms;
+allow selinux_dbus_t self:unix_stream_socket create_socket_perms;
+
+corecmd_exec_bin(selinux_dbus_t)
+
+files_read_etc_symlinks(selinux_dbus_t)
+files_list_usr(selinux_dbus_t)
+
+policykit_dbus_chat(selinux_dbus_t)
+
+miscfiles_read_localization(selinux_dbus_t)
+
+seutil_domtrans_semanage(selinux_dbus_t)
+
 ########################################
 #
 # semodule local policy
-- 
cgit v1.2.3-65-gdbad