[refpolicy] dbus/lvm read domain state

Martin Orr martin at martinorr.name
Tue Mar 31 09:51:11 CDT 2009


On 15/03/09 23:23, Russell Coker wrote:
> On Mon, 16 Mar 2009, Martin Orr <martin at martinorr.name> wrote:
>> +domain_read_all_domains_state(system_dbusd_t)
> 
> Do we really want all domains?  I think it will do to allow system_dbusd_t to 
> read all domains that talk to it.
> 
> Why not modify dbus_system_bus_client() to have something like the following?
>        allow system_dbusd_t $2:dir search;
>        allow system_dbusd_t $2:file read_file_perms;
> 

Yes, that makes sense.  I have added it to dbus_session_bus_client as well,
and to dbus_system_bus_unconfined for unconfined_t (not sure about the last
one - maybe unconfined_domain should call dbus_system_bus_client instead).

Also, I have a vague idea that I'm not supposed to use $1 as the object type
in an interface, and should use an attribute instead.  Not sure where I got
that idea from; Chris, could you confirm?

Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -243,6 +243,7 @@
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
 
+domain_dontaudit_read_all_domains_state(lvm_t)
 domain_use_interactive_fds(lvm_t)
 
 files_read_etc_files(lvm_t)
Index: policy/modules/services/dbus.if
===================================================================
--- policy/modules/services/dbus.if.orig
+++ policy/modules/services/dbus.if
@@ -197,6 +197,9 @@
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 	dbus_read_config($1)
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(system_dbusd_t, $1, $1)
 ')
 
 #######################################
@@ -221,6 +224,9 @@
 
 	# For connecting to the bus
 	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(session_bus_type, $1, $1)
 ')
 
 ########################################
@@ -317,4 +323,7 @@
 	')
 
 	allow $1 system_dbusd_t:dbus *;
+
+	# DBus reads /proc/$pid/cmdline for logging
+	read_files_pattern(system_dbusd_t, $1, $1)
 ')


-- 
Martin Orr


More information about the refpolicy mailing list