From 4b4747fe3533a6a34a901ec6cf1a99cef9f1dd2b Mon Sep 17 00:00:00 2001

From: osmond sun <osmond.sun@gmail.com>

Date: Wed, 6 Nov 2013 00:53:18 +0800

Subject: [PATCH 1/2] selinux: Use selinux_set_mapping() to avoid hardcoded

 constants for policy

Previous to the introduction of selinux_set_mapping(), DBus pulled

constants generated from the system's policy at build time.  But this

means it's impossible to replace the system policy without rebuilding

userspace components.

This patch maps from arbitrary class/perm indices used by D-Bus and

the policy values and handles all the translation at runtime on

avc_has_perm() calls.

Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719

Reviewed-By: Colin Walters <walters@verbum.org>

Tested-By: Colin Walters <walters@verbum.org>

---

 bus/bus.c     |  2 +-

 bus/selinux.c | 30 +++++++++++++++++++++++++++---

 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/bus/bus.c b/bus/bus.c

index 59274ee..f4fad5b 100644

--- a/bus/bus.c

+++ b/bus/bus.c

@@ -902,7 +902,7 @@ bus_context_new (const DBusString *config_file,

   if (!bus_selinux_full_init ())

     {

-      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but AVC initialization failed; check system log\n");

+      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");

     }

   if (!process_config_postinit (context, parser, error))

diff --git a/bus/selinux.c b/bus/selinux.c

index 6442b79..9a1d4b4 100644

--- a/bus/selinux.c

+++ b/bus/selinux.c

@@ -44,8 +44,6 @@

 #include <syslog.h>

 #include <selinux/selinux.h>

 #include <selinux/avc.h>

-#include <selinux/av_permissions.h>

-#include <selinux/flask.h>

 #include <signal.h>

 #include <stdarg.h>

 #include <stdio.h>

@@ -341,8 +339,27 @@ bus_selinux_pre_init (void)

 #endif

 }

+/*

+ * Private Flask definitions; the order of these constants must

+ * exactly match that of the structure array below!

+ */

+/* security dbus class constants */

+#define SECCLASS_DBUS       1

+

+/* dbus's per access vector constants */

+#define DBUS__ACQUIRE_SVC   1

+#define DBUS__SEND_MSG      2

+

+#ifdef HAVE_SELINUX

+static struct security_class_mapping dbus_map[] = {

+  { "dbus", { "acquire_svc", "send_msg", NULL } },

+  { NULL }

+};

+#endif /* HAVE_SELINUX */

+

 /**

- * Initialize the user space access vector cache (AVC) for D-Bus and set up

+ * Establish dynamic object class and permission mapping and

+ * initialize the user space access vector cache (AVC) for D-Bus and set up

  * logging callbacks.

  */

 dbus_bool_t

@@ -361,6 +378,13 @@ bus_selinux_full_init (void)

   _dbus_verbose ("SELinux is enabled in this kernel.\n");

+  if (selinux_set_mapping (dbus_map) < 0)

+    {

+      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n",

+                   strerror (errno));

+      return FALSE; 

+    }

+

   avc_entry_ref_init (&aeref);

   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)

     {

-- 

2.7.4

From 1859b1e672ca2cbcc05b43cf20aba3df2ca48317 Mon Sep 17 00:00:00 2001

From: David King <dking@redhat.com>

Date: Mon, 8 Aug 2016 13:25:14 +0200

Subject: [PATCH 2/2] Rebase MLS change against new SELinux checks

https://bugzilla.redhat.com/show_bug.cgi?id=1364485

---

 bus/selinux.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/bus/selinux.c b/bus/selinux.c

index 9a1d4b4..2fb4a8b 100644

--- a/bus/selinux.c

+++ b/bus/selinux.c

@@ -345,14 +345,18 @@ bus_selinux_pre_init (void)

  */

 /* security dbus class constants */

 #define SECCLASS_DBUS       1

+#define SECCLASS_CONTEXT    2

 /* dbus's per access vector constants */

 #define DBUS__ACQUIRE_SVC   1

 #define DBUS__SEND_MSG      2

+#define CONTEXT__CONTAINS   1

+

 #ifdef HAVE_SELINUX

 static struct security_class_mapping dbus_map[] = {

   { "dbus", { "acquire_svc", "send_msg", NULL } },

+  { "context", { "contains", NULL } },

   { NULL }

 };

 #endif /* HAVE_SELINUX */

-- 

2.7.4