Skip to content

Commit

Permalink
Setup domain for dbus selinux interface
Browse files Browse the repository at this point in the history 
The dbus selinux interface comes from policycoreutils-dbus package

Signed-off-by: Dave Sugar <[email protected]>
  • Loading branch information
@dsugar100
dsugar100 committed Jan 9, 2024
1 parent d4555fd commit 8a1d07b
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 0 deletions.
3 changes: 3 additions & 0 deletions policy/modules/system/selinuxutil.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)

/usr/share/system-config-selinux/selinux_server.py -- gen_context(system_u:object_r:selinux_dbus_exec_t,s0)

/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)

#
Expand Down
21 changes: 21 additions & 0 deletions policy/modules/system/selinuxutil.if
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,26 @@
## <summary>Policy for SELinux policy and userland applications.</summary>

########################################
## <summary>
## Send and receive messages from
## selinux semanage dbus interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_semanage_dbus_chat',`
gen_require(`
type selinux_dbus_t;
class dbus send_msg;
')

allow $1 selinux_dbus_t:dbus send_msg;
allow selinux_dbus_t $1:dbus send_msg;
')

#######################################
## <summary>
## Execute checkpolicy in the checkpolicy domain.
Expand Down
20 changes: 20 additions & 0 deletions policy/modules/system/selinuxutil.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,11 @@ application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
role run_init_roles types run_init_t;

type selinux_dbus_t;
type selinux_dbus_exec_t;
dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)


type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
Expand Down Expand Up @@ -480,6 +485,21 @@ optional_policy(`
daemontools_domtrans_start(run_init_t)
')


########################################
#
# selinux DBUS local policy
#

allow selinux_dbus_t self:fifo_file rw_inherited_fifo_file_perms;
allow selinux_dbus_t self:unix_stream_socket rw_socket_perms;

corecmd_exec_bin(selinux_dbus_t)

policykit_dbus_chat(selinux_dbus_t)

seutil_domtrans_semanage(selinux_dbus_t)

########################################
#
# semodule local policy
Expand Down

0 comments on commit 8a1d07b

Please sign in to comment.