Overview

File suse_modifications_dbus.patch of Package selinux-policy.37503

Index: serefpolicy-contrib-20140730/dbus.te
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.te	2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.te	2015-07-21 16:41:17.738197485 +0200
@@ -55,7 +55,7 @@ ifdef(`enable_mls',`
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability2 block_suspend;
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock};
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_
 kernel_stream_connect(system_dbusd_t)
 
 dev_read_urand(system_dbusd_t)
+dev_read_rand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
 dev_rw_inherited_input_dev(system_dbusd_t)
@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs(
 
 userdom_home_reader(system_dbusd_t)
 
+allow system_dbusd_t var_run_t:sock_file write;
+
 optional_policy(`
 	bind_domtrans(system_dbusd_t)
 ')
Index: serefpolicy-contrib-20140730/dbus.if
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.if	2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.if	2015-07-21 16:39:28.964461299 +0200
@@ -111,6 +111,26 @@ template(`dbus_role_template',`
 
 	logging_send_syslog_msg($1_dbusd_t)
 
+	ifdef(`distro_suse',`
+		gen_require(`
+			type config_home_t, xdm_var_run_t;
+		')
+		allow $1_dbusd_t self:unix_stream_socket connectto;
+
+		# is this firefox mislabeled?
+		#allow $1_dbusd_t lib_t:file execute_no_trans;
+		allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr };
+		allow $1_dbusd_t xdm_var_run_t:file { getattr open read };
+
+		allow $1_dbusd_t $1_t:dbus send_msg;
+
+		auth_login_pgm_domain($1_dbusd_t)
+		xserver_non_drawing_client($1_dbusd_t)
+		gnome_manage_home_config_dirs($1_dbusd_t)
+		gnome_delete_home_config_dirs($1_dbusd_t)
+		corenet_tcp_connect_xserver_port($1_dbusd_t)
+	')
+
 	optional_policy(`
 		mozilla_domtrans_spec($1_dbusd_t, $1_t)
 	')
openSUSE Build Service is sponsored by
Places