diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2012-09-06 16:23:11 -0400 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2012-09-18 01:21:17 +0200 |
| commit | e2417e4143bb892e4599b01de7b031763421bb64 (patch) | |
| tree | 28ce7be138180c76054bac7bfa0b30d1a653c7b5 /src/core/selinux-access.h | |
| parent | e9ace802cf907d3652e1ef082b39a0cbed4e19a7 (diff) | |
| download | systemd-e2417e4143bb892e4599b01de7b031763421bb64.tar.gz | |
selinux: add bus service access control
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch adds the ability to look at the calling process that is trying to
do dbus calls into systemd, then it checks with the SELinux policy to see if
the calling process is allowed to do the activity.
The basic idea is we want to allow NetworkManager_t to be able to start and
stop ntpd.service, but not necessarly mysqld.service.
Similarly we want to allow a root admin webadm_t that can only manage the
apache environment. systemctl enable httpd.service, systemctl disable
iptables.service bad.
To make this code cleaner, we really need to refactor the dbus-manager.c code.
This has just become a huge if-then-else blob, which makes doing the correct
check difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5
lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco
=yops
-----END PGP SIGNATURE-----
Diffstat (limited to 'src/core/selinux-access.h')
| -rw-r--r-- | src/core/selinux-access.h | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h new file mode 100644 index 0000000000..a426e0e5ca --- /dev/null +++ b/src/core/selinux-access.h @@ -0,0 +1,28 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#ifndef selinuxaccesshfoo +#define selinuxaccesshfoo + +/*** + This file is part of systemd. + + Copyright 2012 Dan Walsh + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +void selinux_access_finish(void); +int selinux_manager_access_check(DBusConnection *connection, DBusMessage *message, Manager *m, DBusError *error); +int selinux_unit_access_check(DBusConnection *connection, DBusMessage *message, Manager *m, const char *path, DBusError *error); +#endif |