#

# Macros for Dbus

#

# Author: Colin Walters <walters@redhat.com>

# dbusd_domain(domain_prefix)

#

# Define a derived domain for the DBus daemon.

define(`dbusd_domain', `

ifelse(`system', `$1',`

daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')

# For backwards compatibility

typealias system_dbusd_t alias dbusd_t;

type etc_dbusd_t, file_type, sysadmfile;

',`

type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;

role $1_r types $1_dbusd_t;

domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)

read_locale($1_dbusd_t)

allow $1_t $1_dbusd_t:process { sigkill signal };

allow $1_dbusd_t self:process { sigkill signal };

dontaudit $1_dbusd_t var_t:dir { getattr search };

')dnl end ifelse system

base_file_read_access($1_dbusd_t)

uses_shlib($1_dbusd_t)

allow $1_dbusd_t etc_t:file { getattr read };

r_dir_file($1_dbusd_t, etc_dbusd_t)

tmp_domain($1_dbusd) 

allow $1_dbusd_t self:process fork;

can_pipe_xdm($1_dbusd_t)

allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;

allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;

allow $1_dbusd_t urandom_device_t:chr_file { getattr read };

allow $1_dbusd_t self:file { getattr read write };

allow $1_dbusd_t proc_t:file read;

can_getsecurity($1_dbusd_t)

r_dir_file($1_dbusd_t, default_context_t)

allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;

ifdef(`pamconsole.te', `

r_dir_file($1_dbusd_t, pam_var_console_t)

')

allow $1_dbusd_t self:dbus { send_msg acquire_svc };

')dnl end dbusd_domain definition

# dbusd_client(dbus_type, domain_prefix)

# Example: dbusd_client_domain(system, user)

#

# Define a new derived domain for connecting to dbus_type

# from domain_prefix_t. 

undefine(`dbusd_client')

define(`dbusd_client',`

ifdef(`dbusd.te',`

# Derived type used for connection

type $2_dbusd_$1_t;

type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;

# SE-DBus specific permissions

allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;

# For connecting to the bus

allow $2_t $1_dbusd_t:unix_stream_socket connectto;

ifelse(`system', `$1', `

allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;

allow { $2_t } system_dbusd_var_run_t:sock_file write;

',`') dnl endif system

') dnl endif dbusd.te

')

# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)

# Example: can_dbusd_converse(system, hald, updfstab)

# Example: can_dbusd_converse(session, user, user)

define(`can_dbusd_converse',`')

ifdef(`dbusd.te',`

undefine(`can_dbusd_converse')

define(`can_dbusd_converse',`

allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };

allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };

') dnl endif dbusd.te

')