dbus changes

dbus needs to map security_t files
private type ($1_dbus_tmpfs_t) for file created on tmpfs

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied)
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152
Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc:  denied  { map } for  pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'.

node=localhost type=AVC msg=audit(1703095496.614:486): avc:  denied  { write } for  pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { map } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { read } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7369): avc:  denied  { write } for  pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { map } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { read } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7632): avc:  denied  { write } for  pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { map } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { read } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <[email protected]>

policy/modules/services/dbus.if

@@ -76,6 +76,8 @@ template(`dbus_role_template',`
 	domain_entry_file($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
 
+	type $1_dbusd_tmpfs_t;
+
 	role $2 types $1_dbusd_t;
 
 	##############################
@@ -107,13 +109,19 @@ template(`dbus_role_template',`
 	allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
 	allow $1_dbusd_t self:unix_stream_socket connectto;
 
+	allow $1_dbusd_t $1_dbusd_tmpfs_t:file mmap_rw_inherited_file_perms;
+
 	files_read_etc_runtime_files($1_dbusd_t)
 
+	fs_tmpfs_filetrans($1_dbusd_t, $1_dbusd_tmpfs_t, file)
+
 	kernel_getattr_proc($1_dbusd_t)
 
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	selinux_use_status_page($1_dbusd_t)
+
 	auth_use_nsswitch($1_dbusd_t)
 
 	dbus_exec($1_dbusd_t)