selinux: Use selinux_set_mapping() to avoid hardcoded constants for policy

Previous to the introduction of selinux_set_mapping(), DBus pulled
constants generated from the system's policy at build time.  But this
means it's impossible to replace the system policy without rebuilding
userspace components.

This patch maps from arbitrary class/perm indices used by D-Bus and
the policy values and handles all the translation at runtime on
avc_has_perm() calls.

Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719
Reviewed-By: Colin Walters <walters@verbum.org>
Tested-By: Colin Walters <walters@verbum.org>

diff --git a/bus/bus.c b/bus/bus.c
index 307c158612b92526eef25edc864f4f419b95ba4e..e24504c3ccfa9ee6c3b73e819d78b7d23fe1cd65 100644 (file)
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -894,7 +894,7 @@ bus_context_new (const DBusString *config_file,
 
   if (!bus_selinux_full_init ())
     {
-      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but AVC initialization failed; check system log\n");
+      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
     }
 
   if (!process_config_postinit (context, parser, error))

diff --git a/bus/selinux.c b/bus/selinux.c
index 768e55ef2885a4da6ebd1d4c3c6029c8a26fab81..99994ca9cf4ffceeacaa3b2e8b8f87e3892a7f20 100644 (file)
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -44,8 +44,6 @@
 #include <syslog.h>
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include <selinux/av_permissions.h>
-#include <selinux/flask.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -314,8 +312,27 @@ bus_selinux_pre_init (void)
 #endif
 }
 
+/*
+ * Private Flask definitions; the order of these constants must
+ * exactly match that of the structure array below!
+ */
+/* security dbus class constants */
+#define SECCLASS_DBUS       1
+
+/* dbus's per access vector constants */
+#define DBUS__ACQUIRE_SVC   1
+#define DBUS__SEND_MSG      2
+
+#ifdef HAVE_SELINUX
+static struct security_class_mapping dbus_map[] = {
+  { "dbus", { "acquire_svc", "send_msg", NULL } },
+  { NULL }
+};
+#endif /* HAVE_SELINUX */
+
 /**
- * Initialize the user space access vector cache (AVC) for D-Bus and set up
+ * Establish dynamic object class and permission mapping and
+ * initialize the user space access vector cache (AVC) for D-Bus and set up
  * logging callbacks.
  */
 dbus_bool_t
@@ -334,6 +351,13 @@ bus_selinux_full_init (void)
 
   _dbus_verbose ("SELinux is enabled in this kernel.\n");
 
+  if (selinux_set_mapping (dbus_map) < 0)
+    {
+      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n",
+                   strerror (errno));
+      return FALSE; 
+    }
+
   avc_entry_ref_init (&aeref);
   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
     {