New SE-DBUS patch
Matthew Rickard
mjricka at epoch.ncsc.mil
Thu Jun 24 07:43:22 PDT 2004
Here is the latest SE-DBUS patch adding SELinux support to D-BUS.
Changes since the last patch include modifying the config file format to
be consistent with other D-BUS config files as well as eliminating the
longest match for service name labellings. There have also been a
number of other bug fixes and cleanups.
The patch does still need some work. One remaining issue is that
dbus_connection_get_unix_fd() needs to be able to handle the case of
multiple file descriptors. Any suggestions on the best way to do this?
Also, the #ifdefs should be cleaned up, and there are some other issues
noted in the comments. Test code also still needs to be expanded to
cover more SE-DBUS specific cases.
The sepolicy.conf file is separate from the rest of the patch now. This
is because it will eventually be distributed along with the SELinux
policy instead of with D-BUS. You will probably want to <include> it
from your system.conf or stick it in /system.d.
The patch and other files (readme, changelog, sepolicy.conf) are
attached. They are also available at
http://www.flux.utah.edu/~sds/dbus/
Let me know if you have any comments or suggestions.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: se-dbus-0.4.diff
Type: text/x-patch
Size: 42040 bytes
Desc: not available
Url : http://freedesktop.org/pipermail/dbus/attachments/20040624/5004f621/se-dbus-0.4-0001.bin
-------------- next part --------------
SE-DBUS Changelog
Matthew Rickard <mjricka at epoch.ncsc.mil>
6/24/04 - 0.4
-New patch release. Note that sepolicy.conf is distributed separately
from the patch since it will be distributed with the SELinux policy
and not D-BUS.
-Changed parsing to take selinux.conf file in XML format consistent
with the other D-BUS configs. Don't do longest match on service
names.
-Service hash table is stored as part of the BusPolicy. BusRegistry
holds a reference to this table. This was done to keep the mappings
global and not per client. However, it is kind of ugly and there is
probably a better way to do it.
-Fixed up some header problems. Also fixed a few places not to assume
C99/gcc.
-Various SID handling fixes and cleanups.
2/23/04 - 0.3
-Changed code to store a SID for a service rather than a context.
This saves us from having to transition between context<->sid so much.
-Changed parsing code to store SIDs rather than contexts in the hash
table for the same reason as above.
-Changed bus_connection_avc_has_perm to take an optional SID now
instead of a context so it works appropriately with the above changes.
-Fixed a bug in the log callback struct. Had an uninitialized pointer
there that could cause segfaults.
-Broke off part of the parsing function into bus_hash_service_sid() to do
the hashing separately. Parse function still needs more cleanup.
-Various other cleanups.
2/19/04 - 0.2
-avc_context_to_sid() increments sid ref count. We don't need to
increment it with sidget. This caused ref leaks.
-bus_avc_store_service_context() shouldn't freecon -- we
aren't done with it until the service is released (it will be
freed by bus_service_unref() at that point).
2/19/04 - 0.1
-Initial Release
-------------- next part --------------
A non-text attachment was scrubbed...
Name: se-dbus-0.4-README
Type: text/x-readme
Size: 3972 bytes
Desc: not available
Url : http://freedesktop.org/pipermail/dbus/attachments/20040624/5004f621/se-dbus-0-0001.bin
-------------- next part --------------
<!-- D-BUS SELinux service security context labelling -->
<busconfig>
<policy security_context="system_u:service_r:cupsd_t">
<allow own="com.redhat.PrintSpooler"/>
<allow own="org.freedesktop.PrintSpooler"/>
</policy>
<policy security_context="system_u:service_r:dbusd_t">
<allow own="org.freedesktop.DBus"/>
</policy>
<policy security_context="system_u:service_r:dbustest_t">
<allow own="org.freedesktop.SomeTestService"/>
</policy>
</busconfig>
More information about the dbus
mailing list