Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Macros for Dbus
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author: Colin Walters <walters@redhat.com>
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# dbusd_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a derived domain for the DBus daemon.
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`dbusd_domain', `
Chris PeBenito 0fbfa5
ifelse(`system', `$1',`
Chris PeBenito 0fbfa5
daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
Chris PeBenito 0fbfa5
# For backwards compatibility
Chris PeBenito 0fbfa5
typealias system_dbusd_t alias dbusd_t;
Chris PeBenito 0fbfa5
type etc_dbusd_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
',`
Chris PeBenito 0fbfa5
type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
Chris PeBenito 0fbfa5
role $1_r types $1_dbusd_t;
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
Chris PeBenito 0fbfa5
read_locale($1_dbusd_t)
Chris PeBenito 0fbfa5
allow $1_t $1_dbusd_t:process { sigkill signal };
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:process { sigkill signal };
Chris PeBenito 0fbfa5
dontaudit $1_dbusd_t var_t:dir { getattr search };
Chris PeBenito 0fbfa5
')dnl end ifelse system
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
base_file_read_access($1_dbusd_t)
Chris PeBenito 0fbfa5
uses_shlib($1_dbusd_t)
Chris PeBenito 0fbfa5
allow $1_dbusd_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
r_dir_file($1_dbusd_t, etc_dbusd_t)
Chris PeBenito 0fbfa5
tmp_domain($1_dbusd) 
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:process fork;
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
allow $1_dbusd_t xdm_t:fd use;
Chris PeBenito 0fbfa5
allow $1_dbusd_t xdm_t:fifo_file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:file { getattr read };
Chris PeBenito 0fbfa5
allow $1_dbusd_t proc_t:file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`pamconsole.te', `
Chris PeBenito 0fbfa5
r_dir_file($1_dbusd_t, pam_var_console_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')dnl end dbusd_domain definition
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# dbusd_client(dbus_type, domain_prefix)
Chris PeBenito 0fbfa5
# Example: dbusd_client_domain(system, user)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a new derived domain for connecting to dbus_type
Chris PeBenito 0fbfa5
# from domain_prefix_t. 
Chris PeBenito 0fbfa5
undefine(`dbusd_client')
Chris PeBenito 0fbfa5
define(`dbusd_client',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`dbusd.te',`
Chris PeBenito 0fbfa5
# Derived type used for connection
Chris PeBenito 0fbfa5
type $2_dbusd_$1_t;
Chris PeBenito 0fbfa5
type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# SE-DBus specific permissions
Chris PeBenito 0fbfa5
allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For connecting to the bus
Chris PeBenito 0fbfa5
allow $2_t $1_dbusd_t:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
') dnl endif dbusd.te
Chris PeBenito 0fbfa5
ifelse(`system', `$1', `
Chris PeBenito 0fbfa5
allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
Chris PeBenito 0fbfa5
allow { $2_t } system_dbusd_var_run_t:sock_file write;
Chris PeBenito 0fbfa5
',`') dnl endif system
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
Chris PeBenito 0fbfa5
# Example: can_dbusd_converse(system, hald, updfstab)
Chris PeBenito 0fbfa5
# Example: can_dbusd_converse(session, user, user)
Chris PeBenito 0fbfa5
define(`can_dbusd_converse',`')
Chris PeBenito 0fbfa5
ifdef(`dbusd.te',`
Chris PeBenito 0fbfa5
undefine(`can_dbusd_converse')
Chris PeBenito 0fbfa5
define(`can_dbusd_converse',`
Chris PeBenito 0fbfa5
allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
Chris PeBenito 0fbfa5
allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
Chris PeBenito 0fbfa5
') dnl endif dbusd.te
Chris PeBenito 0fbfa5
')