On 1/6/19 7:40 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@xxxxxxxxxx> writes:
>
>> The display manager lightdm (and I think gdm) start a dbus binary.
>>
>> This adds (and uses) new interface dbus_exec to start dbus in the xdm domain.
>>
>> type=AVC msg=audit(1544626796.378:201): avc: denied { execute } for pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc: denied { read open } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc: denied { execute_no_trans } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc: denied { map } for pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1546551459.112:208): avc: denied { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
>>
>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>> ---
>> policy/modules/services/dbus.if | 21 +++++++++++++++++++++
>> policy/modules/services/xserver.te | 1 +
>> 2 files changed, 22 insertions(+)
>>
>> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
>> index ef829e30..d0eec745 100644
>> --- a/policy/modules/services/dbus.if
>> +++ b/policy/modules/services/dbus.if
>> @@ -17,6 +17,27 @@ interface(`dbus_stub',`
>> ')
>> ')
>>
>> +########################################
>> +## <summary>
>> +## Execute dbus in the caller domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`dbus_exec',`
>> + gen_require(`
>> + type dbusd_exec_t;
>> + ')
>> +
>> + corecmd_search_bin($1)
>> + can_exec($1, dbusd_exec_t)
>> +
>> + allow $1 self:process getcap;
> I would not enclose the getcap rule here. For example I do not believe
> you need that permission to be able to `dbus-daemon --version`. Instead I
> would add that rule to xserver.te:
>
> allow xdm_t self:process getcap;
I did it this way due to the fact that it is dbus-daemon needing the
getcap permission not lightdm. So other processes that use the
dbus_exec interface will also need this permission. I'm happy separate
just worry it won't be clear why getcap will be added in several places
due to this.
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Role access for dbus.
>> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
>> index fa7ce88e..cc717e7f 100644
>> --- a/policy/modules/services/xserver.te
>> +++ b/policy/modules/services/xserver.te
>> @@ -566,6 +566,7 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + dbus_exec(xdm_t)
>> dbus_system_bus_client(xdm_t)
>> dbus_connect_system_bus(xdm_t)
