Changeset 2686

Timestamp:

05/19/08 12:57:28 (7 months ago)

Author:

pebenito

Message:

rbacsep: collapse services except xserver.

Files:

• branches/rbacsep/policy/modules/services/apache.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/bluetooth.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/cron.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/cron.if (modified) (10 diffs)
• branches/rbacsep/policy/modules/services/cron.te (modified) (6 diffs)
• branches/rbacsep/policy/modules/services/dbus.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/dbus.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/ftp.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/lpd.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/mta.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/pyzor.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/razor.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/razor.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/samba.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/spamassassin.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/ssh.te (modified) (5 diffs)

branches/rbacsep/policy/modules/services/apache.te

@@ -187 +187 @@
-type httpd_tmpfs_t;
-files_tmpfs_file(httpd_tmpfs_t)
+
+apache_content_template(user)
-
-# for apache2 memory mapped files
@@ -722 +724 @@
-
-miscfiles_read_localization(httpd_rotatelogs_t)
+
+########################################
+#
+# User content local policy
+#
+
+typeattribute httpd_user_script_t httpd_script_domains;
+userdom_user_home_content($1,httpd_user_content_t)
+
+allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+
+manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+
+manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+
+manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+
+tunable_policy(`httpd_enable_cgi',`
+        # If a user starts a script by hand it gets the proper context
+        domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+        allow httpd_user_script_t httpdcontent:file entrypoint;
+
+        domtrans_pattern($2, httpdcontent, httpd_user_script_t)
+')
+
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+        userdom_search_user_home_dirs($1,httpd_t)
+        userdom_search_user_home_dirs($1,httpd_suexec_t)
+        userdom_search_user_home_dirs($1,httpd_user_script_t)
+')

branches/rbacsep/policy/modules/services/bluetooth.te

@@ -16 +16 @@
-files_type(bluetooth_conf_rw_t)
-
-
-
+
-type bluetooth_helper_exec_t;
-
+
+
+
+
+
+
+
-
-type bluetooth_lock_t;
@@ -146 +151 @@
-        ppp_domtrans(bluetooth_t)
-')
+
+########################################
+#
+# Bluetooth helper programs local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+libs_use_ld_so(bluetooth_helper_t)
+libs_use_shared_libs(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t) 
+
+sysnet_read_config(bluetooth_helper_t)
+
+optional_policy(`
+        bluetooth_dbus_chat(bluetooth_helper_t)
+
+        dbus_system_bus_client_template(bluetooth_helper, bluetooth_helper_t)
+        dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+        nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+        xserver_user_x_domain_template($1, bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')

branches/rbacsep/policy/modules/services/cron.fc

@@ -42 +42 @@
-
-/var/spool/fcron                -d      gen_context(system_u:object_r:cron_spool_t,s0)
-.
+[^/]
-/var/spool/fcron/systab\.orig   --      gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab         --      gen_context(system_u:object_r:system_cron_spool_t,s0)

branches/rbacsep/policy/modules/services/cron.if

@@ -267 +267 @@
-#######################################
-## <summary>
+##      The common rules for a crontab domain.
+## </summary>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+#
+template(`cron_common_crontab_template',`
+        gen_require(`
+                type crontab_exec_t, user_cron_spool_t;
+        ')
+
+        ##############################
+        #
+        # Declarations
+        #
+
+        type $1_t;
+        application_domain($1_t, crontab_exec_t)
+
+        type $1_tmp_t;
+        files_tmp_file($1_tmp_t)
+
+        ##############################
+        #
+        # Local policy
+        #
+
+        # dac_override is to create the file in the directory under /tmp
+        allow $1_t self:capability { fowner setuid setgid chown dac_override };
+        allow $1_t self:process signal_perms;
+
+        # Transition from the user domain to the derived domain.
+        domtrans_pattern($2, crontab_exec_t, $1_t)
+
+        # crontab shows up in user ps
+        ps_process_pattern($2,$1_t)
+
+        # for ^Z
+        allow $2 $1_t:process signal;
+
+        # Allow crond to read those crontabs in cron spool.
+        allow crond_t $1_cron_spool_t:file manage_file_perms;
+
+        allow $1_t $1_tmp_t:file manage_file_perms;
+        files_tmp_filetrans($1_t,$1_tmp_t,file)
+
+        # create files in /var/spool/cron
+        # cjp: change this to a role transition
+        manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+        filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+        files_search_spool($1_t)
+
+        # crontab signals crond by updating the mtime on the spooldir
+        allow $1_t cron_spool_t:dir setattr;
+
+        kernel_read_system_state($1_t)
+
+        # for the checks used by crontab -u
+        selinux_dontaudit_search_fs($1_t)
+
+        fs_getattr_xattr_fs($1_t)
+
+        # Run helper programs as the user domain
+        corecmd_bin_domtrans($1_t,$2)
+        corecmd_shell_domtrans($1_t,$2)
+
+        domain_use_interactive_fds($1_t)
+
+        files_read_etc_files($1_t)
+        files_dontaudit_search_pids($1_t)
+
+        libs_use_ld_so($1_t)
+        libs_use_shared_libs($1_t)
+
+        logging_send_syslog_msg($1_t)
+
+        miscfiles_read_localization($1_t)
+
+        seutil_read_config($1_t)
+
+        userdom_manage_user_tmp_dirs($1,$1_t)
+        userdom_manage_user_tmp_files($1,$1_t)
+        # Access terminals.
+        userdom_use_user_terminals($1,$1_t)
+        # Read user crontabs
+        userdom_read_user_home_content_files($1,$1_t)
+
+        tunable_policy(`fcron_crond',`
+                # fcron wants an instant update of a crontab change for the administrator
+                # also crontab does a security check for crontab -u
+                dontaudit $1_t crond_t:process signal;
+        ')
+
+        optional_policy(`
+                nscd_socket_use($1_t)
+        ')
+')
+
+#######################################
+## <summary>
-##      The administrative functions template for the cron module.
-## </summary>
@@ -287 +390 @@
-                attribute cron_spool_type;
-                type $1_crontab_t, $1_crond_t;
-
+
+
+
+
+
-
-        # Allow our crontab domain to unlink a user cron spool file.
@@ -306 +413 @@
-                # also crontab does a security check for crontab -u
-                allow $1_crontab_t self:process setfscreate;
-                selinux_get_fs_mount($1_crontab_t)
-        ')
-')
@@ -328 +434 @@
-interface(`cron_system_entry',`
-        gen_require(`
-d
-
-
-d
+job
+
+
+job
-
-        # cjp: perhaps these four rules from the old
-        # domain_auto_trans are not needed?
-d
-d
-d
+job
+job
+job
-
-        allow $1 crond_t:fifo_file rw_file_perms;
@@ -486 +592 @@
-interface(`cron_anacron_domtrans_system_job',`
-        gen_require(`
-d
-
-
-d
+job
+
+
+job
-')
-
@@ -505 +611 @@
-interface(`cron_use_system_job_fds',`
-        gen_require(`
-d
-
-
-d
+job
+
+
+job
-')
-
@@ -523 +629 @@
-interface(`cron_write_system_job_pipes',`
-        gen_require(`
-d
-
-
-d
+job
+
+
+job
-')
-
@@ -541 +647 @@
-interface(`cron_rw_system_job_pipes',`
-        gen_require(`
-d
-
-
-d
+job
+
+
+job
-')
-
@@ -559 +665 @@
-interface(`cron_read_system_job_tmp_files',`
-        gen_require(`
-d
+job
-        ')
-
-        files_search_tmp($1)
-d
+job
-')
-
@@ -579 +685 @@
-interface(`cron_dontaudit_append_system_job_tmp_files',`
-        gen_require(`
-d
-
-
-d
-
+job
+
+
+job
+

branches/rbacsep/policy/modules/services/cron.te

@@ -58 +58 @@
-application_executable_file(crontab_exec_t)
-
+cron_common_crontab_template(admin_crontab)
+
+cron_common_crontab_template(crontab)
+
-type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-
-
-d
-d
-d
-
-
-d
-
-
-d
+job_t alias system_cron
+job
+job
+job
+
+job_lock_t alias system_cron
+job
+
+job_tmp_t alias system_cron
+job
-
-ifdef(`enable_mcs',`
@@ -76 +80 @@
-')
-
+type cronjob_t;
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+role $3 types cronjob_t;
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+files_type(user_cron_spool_t)
+
-########################################
-#
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-#
-
@@ -222 +261 @@
-#
-
-d
-d
-d
-d
+job
+job
+job
+job
-
-# This is to handle creation of files in /var/log directory.
-#  Used currently by rpm script log files
-d
-d
+job
+job
-
-# This is to handle /var/lib/misc directory.  Used currently
-# by prelink var/lib files for cron 
-d
-d
-
-d
+job
+job
+
+job
-# The entrypoint interface is not used as this is not
-# a regular entrypoint.  Since crontab files are
@@ -245 +284 @@
-# performs an entrypoint permission check
-# for this purpose.
-d
+job
-
-# Permit a transition from the crond_t domain to this domain.
@@ -251 +290 @@
-# via setexeccon.  There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-d
-d
-d
-d
-d
-d
+job
+job
+job
+job
+job
+job
-
-# Write /var/lock/makewhatis.lock.
-d_t system_crond
-d_t,system_crond
+job_t system_cronjob
+job_t,system_cronjob
-
-# write temporary files
-d_t,crond_tmp_t,system_crond
-d_t,crond_tmp_t,system_crond
-d_t,crond_tmp_t,system_crond
-d_t,system_crond
+job_t,crond_tmp_t,system_cronjob
+job_t,crond_tmp_t,system_cronjob
+job_t,crond_tmp_t,system_cronjob
+job_t,system_cronjob
-
-# Read from /var/spool/cron.
-d
-d
-
-d
-d
-d
+job
+job
+
+job
+job
+job
-
-# ps does not need to access /boot when run from cron
-d
-
-d
-
-d
-d
-d
-d
-d
-d
-d
-d
-
-d
-d
-d
-
-d
-d
-d
-d
-d
+job
+
+job
+
+job
+job
+job
+job
+job
+job
+job
+job
+
+job
+job
+job
+
+job
+job
+job
+job
+job
-
-# quiet other ps operations
-d
-
-d
-d
-d
-d
-d
-d
-d
-d
-d
-d
-d
+job
+
+job
+job
+job
+job
+job
+job
+job
+job
+job
+job
+job
-# for nscd:
-d
+job
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-d
-
-d
-d
-d
+job
+
+job
+job
+job
-# prelink tells init to restart it self, we either need to allow or dontaudit
-d
-
-d
-
-d
-d
-d
-d
-
-d
-d
-
-d
-d
-
-d
+job
+
+job
+
+job
+job
+job
+job
+
+job
+job
+
+job
+job
+
+job
-
-ifdef(`distro_redhat', `
@@ -345 +384 @@
-        # via redirection of standard out.
-        optional_policy(`
-d
+job
-        ')
-')
-
-tunable_policy(`cron_can_relabel',`
-d
+job
-',`
-d
-d
-d
-d
-d
-d
-d
+job
+job
+job
+job
+job
+job
+job
-')
-
-optional_policy(`
-        # Needed for certwatch
-d
-d
-d
-d
-
-
-
-d
-
-
-
-d
-
-
-
-d
-d
-d
-
-
-
-d
-
-
-
-d
-
-
-
-d
-
-
-
-d
+job
+job
+job
+job
+
+
+
+job
+
+
+
+job
+
+
+
+job
+job
+job
+
+
+
+job
+
+
+
+job
+
+
+
+job
+
+
+
+job
-')      
-
-optional_policy(`
-d
-d
-d
-
-
-
-d
-d
-d
-
-
-
-d
+job
+job
+job
+
+
+
+job
+job
+job
+
+
+
+job
-')
-
-optional_policy(`
-        # cjp: why?
-d
-
-
-
-d
-
-
-
-d
-
-d
+job
+
+
+
+job
+
+
+
+job
+
+job
-')
-
-ifdef(`TODO',`
-ifdef(`mta.te', `
-d
-d
+job
+job
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-') dnl end TODO
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:capability dac_override;
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_all_if(cronjob_t)
+corenet_udp_sendrecv_all_if(cronjob_t)
+corenet_tcp_sendrecv_all_nodes(cronjob_t)
+corenet_udp_sendrecv_all_nodes(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_use_ld_so(cronjob_t)
+libs_use_shared_libs(cronjob_t)
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files($1,cronjob_t)
+userdom_manage_user_tmp_symlinks($1,cronjob_t)
+userdom_manage_user_tmp_pipes($1,cronjob_t)
+userdom_manage_user_tmp_sockets($1,cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files($1,cronjob_t)
+# Access user files and dirs.
+#userdom_manage_user_home_subdir_dirs($1,cronjob_t)
+userdom_manage_user_home_content_files($1,cronjob_t)
+userdom_manage_user_home_content_symlinks($1,cronjob_t)
+userdom_manage_user_home_content_pipes($1,cronjob_t)
+userdom_manage_user_home_content_sockets($1,cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content($1,cronjob_t,notdevfile_class_set)
+
+tunable_policy(`fcron_crond', `
+        allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+#       mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+        dbus_stub(cronjob_t)
+
+        allow cronjob_t $2:dbus send_msg;
+')              
+
+optional_policy(`
+        nis_use_ypbind(cronjob_t)
+')

branches/rbacsep/policy/modules/services/dbus.fc

@@ -2 +2 @@
-
-# Sorting does not work correctly if I combine these next two roles
-system_
-system_
+
+
-
-/var/lib/dbus(/.*)?             gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)

branches/rbacsep/policy/modules/services/dbus.te

@@ -14 +14 @@
-files_type(dbusd_etc_t)
-
+type session_dbusd_t;
+type dbusd_exec_t alias system_dbusd_exec_t;
+domain_type(session_dbusd_t)
+domain_entry_file(session_dbusd_t, dbusd_exec_t)
+
+type session_dbusd_tmp_t;
+files_tmp_file(session_dbusd_tmp_t)
+
-type system_dbusd_t alias dbusd_t;
-
-
+
-
-type system_dbusd_tmp_t;
@@ -30 +37 @@
-#
-# Local policy
+#
+
+allow session_dbusd_t self:process { getattr sigkill signal };
+dontaudit session_dbusd_t self:process ptrace;
+allow session_dbusd_t self:file { getattr read write };
+allow session_dbusd_t self:fifo_file rw_fifo_file_perms;
+allow session_dbusd_t self:dbus { send_msg acquire_svc };
+allow session_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow session_dbusd_t self:unix_dgram_socket create_socket_perms;
+allow session_dbusd_t self:tcp_socket create_stream_socket_perms;
+allow session_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+# For connecting to the bus
+allow $2 session_dbusd_t:unix_stream_socket connectto;
+
+# SE-DBus specific permissions
+allow session_dbusd_t self:dbus send_msg;
+allow $2 session_dbusd_t:dbus { send_msg acquire_svc };
+allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
+
+allow session_dbusd_t dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(session_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(session_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(session_dbusd_t,session_dbusd_tmp_t,session_dbusd_tmp_t)
+manage_files_pattern(session_dbusd_t,session_dbusd_tmp_t,session_dbusd_tmp_t)
+files_tmp_filetrans(session_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+domtrans_pattern($2, system_dbusd_exec_t, session_dbusd_t)
+allow $2 session_dbusd_t:process { sigkill signal };
+
+# cjp: this seems very broken
+corecmd_bin_domtrans(session_dbusd_t, $2)
+allow session_dbusd_t $2:process sigkill;
+allow $2 session_dbusd_t:fd use;
+allow $2 session_dbusd_t:fifo_file rw_fifo_file_perms;
+allow $2 session_dbusd_t:process sigchld;
+
+kernel_read_system_state(session_dbusd_t)
+kernel_read_kernel_sysctls(session_dbusd_t)
+
+corecmd_list_bin(session_dbusd_t)
+corecmd_read_bin_symlinks(session_dbusd_t)
+corecmd_read_bin_files(session_dbusd_t)
+corecmd_read_bin_pipes(session_dbusd_t)
+corecmd_read_bin_sockets(session_dbusd_t)
+
+corenet_all_recvfrom_unlabeled(session_dbusd_t)
+corenet_all_recvfrom_netlabel(session_dbusd_t)
+corenet_tcp_sendrecv_all_if(session_dbusd_t)
+corenet_tcp_sendrecv_all_nodes(session_dbusd_t)