From a187318caad4e485e84c1af961f1abe6e88f4423 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Nov 07 2013 19:19:30 +0000 Subject: wip Conflicts: dbus.spec --- diff --git a/dbus.spec b/dbus.spec index 0bd4031..c2906f5 100644 --- a/dbus.spec +++ b/dbus.spec @@ -13,7 +13,7 @@ Summary: D-BUS message bus Name: dbus Epoch: 1 Version: 1.6.12 -Release: 1%{?dist} +Release: 1.walterstest%{?dist} URL: http://www.freedesktop.org/software/dbus/ #VCS: git:git://git.freedesktop.org/git/dbus/dbus Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz @@ -42,6 +42,7 @@ Requires(pre): /usr/sbin/useradd # FIXME this should be upstreamed; need --daemon-bindir=/bin and --bindir=/usr/bin or something? Patch0: bindir.patch +Patch1: selinux.patch %description D-BUS is a system for sending messages between applications. It is @@ -91,6 +92,7 @@ in this separate package so server systems need not install X. /bin/chmod 0644 COPYING ChangeLog NEWS %patch0 -p1 -b .bindir +%patch1 -p1 %build if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf -v -f -i; fi diff --git a/selinux.patch b/selinux.patch new file mode 100644 index 0000000..fc8c43a --- /dev/null +++ b/selinux.patch @@ -0,0 +1,99 @@ +From 184d8ae4ed26c1279b732c52191914bcb4962388 Mon Sep 17 00:00:00 2001 +From: osmond sun +Date: Wed, 6 Nov 2013 00:53:18 +0800 +Subject: [PATCH] Use selinux_set_mapping() to create a mapping from class/perm + indices and the policy values + +Let D-Bus uses selinux_set_mapping() instead of the hard coded value +from flask.h and av_permission.h. In this way, It can create a mapping +from arbitrary class/perm indices used by D-Bus and the policy values +and handles all the translation at runtime on avc_has_perm() calls. +--- + bus/bus.c | 2 +- + bus/selinux.c | 19 ++++++++++++++++--- + bus/selinux.h | 12 ++++++++++++ + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/bus/bus.c b/bus/bus.c +index e80e708..521b033 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -894,7 +894,7 @@ bus_context_new (const DBusString *config_file, + + if (!bus_selinux_full_init ()) + { +- bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but AVC initialization failed; check system log\n"); ++ bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n"); + } + + if (!process_config_postinit (context, parser, error)) +diff --git a/bus/selinux.c b/bus/selinux.c +index 36287e9..81e54f5 100644 +--- a/bus/selinux.c ++++ b/bus/selinux.c +@@ -44,8 +44,6 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include +@@ -314,8 +312,16 @@ bus_selinux_pre_init (void) + #endif + } + ++#ifdef HAVE_SELINUX ++static struct security_class_mapping dbus_map[] = { ++ { "dbus", { "acquire_svc", "send_msg", NULL } }, ++ { NULL } ++}; ++#endif /* HAVE_SELINUX */ ++ + /** +- * Initialize the user space access vector cache (AVC) for D-Bus and set up ++ * Establish dynamic object class and permission mapping and ++ * initialize the user space access vector cache (AVC) for D-Bus and set up + * logging callbacks. + */ + dbus_bool_t +@@ -334,6 +340,13 @@ bus_selinux_full_init (void) + + _dbus_verbose ("SELinux is enabled in this kernel.\n"); + ++ if (selinux_set_mapping (dbus_map) < 0) ++ { ++ _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n", ++ strerror (errno)); ++ return FALSE; ++ } ++ + avc_entry_ref_init (&aeref); + if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0) + { +diff --git a/bus/selinux.h b/bus/selinux.h +index 3bab36d..ab82855 100644 +--- a/bus/selinux.h ++++ b/bus/selinux.h +@@ -27,6 +27,18 @@ + #include + #include "services.h" + ++/* ++ * Private Flask definitions ++ */ ++ ++/* security dbus class constants */ ++#define SECCLASS_DBUS 1 ++ ++/* dbus's per access vector constants */ ++#define DBUS__ACQUIRE_SVC 1 ++#define DBUS__SEND_MSG 2 ++ ++ + dbus_bool_t bus_selinux_pre_init (void); + dbus_bool_t bus_selinux_full_init(void); + void bus_selinux_shutdown (void); +-- +1.8.3.1