selinux: Use selinux_set_mapping() to avoid hardcoded constants for policy

Previous to the introduction of selinux_set_mapping(), DBus pulled
constants generated from the system's policy at build time.  But this
means it's impossible to replace the system policy without rebuilding
userspace components.

This patch maps from arbitrary class/perm indices used by D-Bus and
the policy values and handles all the translation at runtime on
avc_has_perm() calls.

Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719
Reviewed-By: Colin Walters <walters@verbum.org>
Tested-By: Colin Walters <walters@verbum.org>

diff --git a/bus/bus.c b/bus/bus.c
index 307c158..e24504c 100644 (file)
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -894,7 +894,7 @@ bus_context_new (const DBusString *config_file,
 
   if (!bus_selinux_full_init ())
     {
-      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but AVC initialization failed; check system log\n");
+      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
     }
 
   if (!process_config_postinit (context, parser, error))

diff --git a/bus/selinux.c b/bus/selinux.c
index 768e55e..99994ca 100644 (file)
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -44,8 +44,6 @@
 #include <syslog.h>
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include <selinux/av_permissions.h>
-#include <selinux/flask.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -314,8 +312,27 @@ bus_selinux_pre_init (void)
 #endif
 }
 
+/*
+ * Private Flask definitions; the order of these constants must
+ * exactly match that of the structure array below!
+ */
+/* security dbus class constants */
+#define SECCLASS_DBUS       1
+
+/* dbus's per access vector constants */
+#define DBUS__ACQUIRE_SVC   1
+#define DBUS__SEND_MSG      2
+
+#ifdef HAVE_SELINUX
+static struct security_class_mapping dbus_map[] = {
+  { "dbus", { "acquire_svc", "send_msg", NULL } },
+  { NULL }
+};
+#endif /* HAVE_SELINUX */
+
 /**
- * Initialize the user space access vector cache (AVC) for D-Bus and set up
+ * Establish dynamic object class and permission mapping and
+ * initialize the user space access vector cache (AVC) for D-Bus and set up
  * logging callbacks.
  */
 dbus_bool_t
@@ -334,6 +351,13 @@ bus_selinux_full_init (void)
 
   _dbus_verbose ("SELinux is enabled in this kernel.\n");
 
+  if (selinux_set_mapping (dbus_map) < 0)
+    {
+      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n",
+                   strerror (errno));
+      return FALSE; 
+    }
+
   avc_entry_ref_init (&aeref);
   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
     {