From dd21a7724a80640846878d64fb054edaadb4ce67 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Sun, 10 Dec 2023 21:00:27 -0500
Subject: [PATCH 1/3] Changes needed for dbus-broker-launch

node=localhost type=AVC msg=audit(1701877079.240:52506): avc:  denied  { read } for  pid=7055 comm="dbus-broker-lau" name="machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.240:52506): avc:  denied  { open } for  pid=7055 comm="dbus-broker-lau" path="/etc/machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.244:52520): avc:  denied  { connectto } for  pid=7054 comm="dbus-broker-lau" path="/run/user/1001/bus" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { sendto } for  pid=7054 comm="dbus-broker-lau" path="/run/user/1001/systemd/notify" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { search } for  pid=7054 comm="dbus-broker-lau" name="systemd" dev="tmpfs" ino=2 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { write } for  pid=7054 comm="dbus-broker-lau" name="notify" dev="tmpfs" ino=13 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/dbus.if | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index aa2b0b5e92..ecf8c63870 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -91,7 +91,7 @@ template(`dbus_role_template',`
 	dontaudit $1_dbusd_t self:cap_userns sys_ptrace;
 
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
-        dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+	dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 
 	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -105,6 +105,9 @@ template(`dbus_role_template',`
 
 	allow $1_dbusd_t $3:process sigkill;
 	allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
+	allow $1_dbusd_t self:unix_stream_socket connectto;
+
+	files_read_etc_runtime_files($1_dbusd_t)
 
 	kernel_getattr_proc($1_dbusd_t)
 
@@ -116,6 +119,7 @@ template(`dbus_role_template',`
 	optional_policy(`
 		systemd_read_logind_runtime_files($1_dbusd_t)
 		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
+		systemd_user_send_systemd_notify($1, $1_dbusd_t)
 		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
 	')
 ')

From 2680abe1f8b24035b75d8dfe5a239db4c693cef4 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Wed, 20 Dec 2023 09:18:20 -0500
Subject: [PATCH 2/3] Allow dbus-broker-launch to execute in same domain

node=localhost type=AVC msg=audit(1703080976.876:873613): avc:  denied { execute_no_trans } for  pid=6840 comm="dbus-broker-lau" path="/usr/bin/dbus-broker" dev="dm-1" ino=16361 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/dbus.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index ecf8c63870..a3928149d0 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -116,6 +116,8 @@ template(`dbus_role_template',`
 
 	auth_use_nsswitch($1_dbusd_t)
 
+	dbus_exec($1_dbusd_t)
+
 	optional_policy(`
 		systemd_read_logind_runtime_files($1_dbusd_t)
 		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)

From 58e4c9a36fe0434d056d642aa951abd495e1d61c Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Wed, 20 Dec 2023 13:43:56 -0500
Subject: [PATCH 3/3] dbus changes

dbus needs to map security_t files
private type ($1_dbus_tmpfs_t) for file created on tmpfs

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied)
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152
Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc:  denied  { map } for  pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'.

node=localhost type=AVC msg=audit(1703095496.614:486): avc:  denied  { write } for  pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { map } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { read } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7369): avc:  denied  { write } for  pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { map } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { read } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7632): avc:  denied  { write } for  pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { map } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { read } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/dbus.if | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index a3928149d0..d13a53a525 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -76,6 +76,9 @@ template(`dbus_role_template',`
 	domain_entry_file($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
 
+	type $1_dbusd_tmpfs_t;
+	files_tmpfs_file($1_dbusd_tmpfs_t)
+
 	role $2 types $1_dbusd_t;
 
 	##############################
@@ -107,13 +110,19 @@ template(`dbus_role_template',`
 	allow $1_dbusd_t session_dbusd_tmp_t:sock_file manage_sock_file_perms;
 	allow $1_dbusd_t self:unix_stream_socket connectto;
 
+	allow $1_dbusd_t $1_dbusd_tmpfs_t:file mmap_rw_inherited_file_perms;
+
 	files_read_etc_runtime_files($1_dbusd_t)
 
+	fs_tmpfs_filetrans($1_dbusd_t, $1_dbusd_tmpfs_t, file)
+
 	kernel_getattr_proc($1_dbusd_t)
 
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	selinux_use_status_page($1_dbusd_t)
+
 	auth_use_nsswitch($1_dbusd_t)
 
 	dbus_exec($1_dbusd_t)