[refpolicy] [PATCH 1/3] userdomain: new dbus chat interface

Chris PeBenito pebenito at ieee.org
Mon May 22 23:19:40 UTC 2017


On 05/20/2017 11:40 AM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 1/3.
>
> This patch introduces a new interface to allow bidirectional
> dbus chat from/to the user domain (instead of only unidirectional
> messaging).
>
> The new interface is used by part 2/3.
>
> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> ---
>  policy/modules/system/userdomain.if |   21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> --- a/policy/modules/system/userdomain.if	2017-04-26 17:47:14.081423048 +0200
> +++ b/policy/modules/system/userdomain.if	2017-05-20 15:55:50.405244985 +0200
> @@ -4018,6 +4018,27 @@ interface(`userdom_dbus_send_all_users',
>
>  ########################################
>  ## <summary>
> +##	Send and receive dbus messages
> +##	from and to all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_dbus_chat_all_users',`
> +	gen_require(`
> +		attribute userdomain;
> +		class dbus send_msg;
> +	')
> +
> +	allow $1 userdomain:dbus send_msg;
> +	allow userdomain $1:dbus send_msg;
> +')

Generally I feel that whichever domain is more like a service provide 
the dbus chat interface.  Neither side really fits that description in 
this case, but since userdomain hasn't needed this access yet, I think 
it makes more sense for it to go in the openoffice module.  In fact, it 
might make the most sense in oofice_role().

-- 
Chris PeBenito


More information about the refpolicy mailing list