Initial commit.

dbus-1/session.conf

@@ -0,0 +1,19 @@
+<!--
+This configuration file is no longer required and may be removed.
+
+In older versions of dbus, this file defined the behaviour of the well-known
+session bus. That behaviour is now determined by
+/usr/share/dbus-1/session.conf, which should not be edited.
+
+For local configuration changes, create a file
+session-local.conf or files matching session.d/*.conf in the same directory
+as this one, with a <busconfig> element containing configuration directives.
+These directives can override D-Bus or OS defaults.
+
+For upstream or distribution-wide defaults that can be overridden
+by a local sysadmin, create files matching
+/usr/share/dbus-1/session.d/*.conf instead.
+-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig></busconfig>

dbus-1/system.conf

@@ -0,0 +1,19 @@
+<!--
+This configuration file is no longer required and may be removed.
+
+In older versions of dbus, this file defined the behaviour of the well-known
+system bus. That behaviour is now determined by
+/usr/share/dbus-1/system.conf, which should not be edited.
+
+For local configuration changes, create a file
+system-local.conf or files matching system.d/*.conf in the same directory
+as this one, with a <busconfig> element containing configuration directives.
+These directives can override D-Bus or OS defaults.
+
+For upstream or distribution-wide defaults that can be overridden
+by a local sysadmin, create files matching
+/usr/share/dbus-1/system.d/*.conf instead.
+-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig></busconfig>

dbus-1/system.d/com.redhat.RHSM1.Facts.conf

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+    <policy user="root">
+        <allow own="com.redhat.RHSM1.Facts"/>
+
+        <!--
+        Lock down the facts object to root access only since
+        some facts contain sensitive information (q.v. CVE-2016-4455)
+        -->
+        <allow send_destination="com.redhat.RHSM1.Facts"
+          send_interface="com.redhat.RHSM1.Facts"/>
+
+        <!-- Basic D-Bus API stuff -->
+        <allow send_destination="com.redhat.RHSM1.Facts"
+            send_interface="org.freedesktop.DBus.Introspectable"/>
+        <allow send_destination="com.redhat.RHSM1.Facts"
+            send_interface="org.freedesktop.DBus.Properties"/>
+        <allow send_destination="com.redhat.RHSM1.Facts"
+            send_interface="org.freedesktop.DBus.ObjectManager"/>
+    </policy>
+
+
+    <policy context="default">
+      <!-- Basic D-Bus API stuff -->
+      <allow send_destination="com.redhat.RHSM1.Facts"
+          send_interface="org.freedesktop.DBus.Introspectable"/>
+      <allow send_destination="com.redhat.RHSM1.Facts"
+          send_interface="org.freedesktop.DBus.Properties"/>
+      <allow send_destination="com.redhat.RHSM1.Facts"
+          send_interface="org.freedesktop.DBus.ObjectManager"/>
+  </policy>
+
+</busconfig>
+

dbus-1/system.d/com.redhat.RHSM1.conf

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+    <policy user="root">
+        <allow own="com.redhat.RHSM1"/>
+
+        <!-- Basic D-Bus API stuff -->
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.Introspectable"/>
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.Properties"/>
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.ObjectManager"/>
+
+        <!-- allow Config.Set from root -->
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Config"
+            send_member="Set"/>
+    </policy>
+
+
+    <policy context="default">
+        <!-- TODO: make these read-only by default -->
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Attach"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Products"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Config"/>
+
+        <!-- deny Config.Set by default -->
+        <deny send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Config"
+            send_member="Set"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.RegisterServer"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Unregister"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Entitlement"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Consumer"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.Syspurpose"/>
+
+        <!-- Basic D-Bus API stuff -->
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.Introspectable"/>
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.Properties"/>
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="org.freedesktop.DBus.ObjectManager"/>
+    </policy>
+</busconfig>
+

dbus-1/system.d/com.redhat.tuned.conf

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+	<policy context="default">
+		<allow receive_sender="com.redhat.tuned" />
+		<allow send_destination="com.redhat.tuned" send_interface="org.freedesktop.DBus.Introspectable" />
+		<allow send_destination="com.redhat.tuned" send_interface="com.redhat.tuned.control" />
+	</policy>
+
+	<policy user="root">
+		<allow own="com.redhat.tuned" />
+		<allow send_destination="com.redhat.tuned" />
+	</policy>
+</busconfig>

dbus-1/system.d/nm-dispatcher.conf

@@ -0,0 +1,13 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+    <policy user="root">
+        <allow own="org.freedesktop.nm_dispatcher"/>
+        <allow send_destination="org.freedesktop.nm_dispatcher"/>
+    </policy>
+    <policy context="default">
+        <deny own="org.freedesktop.nm_dispatcher"/>
+        <deny send_destination="org.freedesktop.nm_dispatcher"/>
+    </policy>
+</busconfig>

dbus-1/system.d/nm-ifcfg-rh.conf

@@ -0,0 +1,11 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+    <policy context="default">
+        <allow send_destination="com.redhat.ifcfgrh1"/>
+    </policy>
+    <policy user="root">
+        <allow own="com.redhat.ifcfgrh1"/>
+    </policy>
+</busconfig>

dbus-1/system.d/oddjob-mkhomedir.conf

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+  <!-- This configuration file specifies the required security policies
+       for the oddjob_mkhomedir service to work.  It controls which requests
+       users will be allowed to issue to oddjobd over the bus, which is quite
+       different from controlling whether or not oddjobd will attempt to
+       fulfill the request. -->
+
+  <!-- Only root can own (provide) the com.redhat.oddjob_mkhomedir service
+       on the system bus. -->
+  <policy user="root">
+    <allow own="com.redhat.oddjob_mkhomedir"/>
+  </policy>
+
+  <!-- Allow anyone to call the introspection methods of any object
+       provided by the com.redhat.oddjob_mkhomedir service. -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob_mkhomedir"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the mkhomedirfor method, which is part of
+       the "mkhomedir" interface implemented by the "/" object provided
+       by the com.redhat.oddjob_mkhomedir service. -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob_mkhomedir"
+           send_path="/"
+           send_interface="com.redhat.oddjob_mkhomedir"
+           send_member="mkhomedirfor"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the mkmyhomedir method, which is part of
+       the "mkhomedir" interface implemented by the "/" object provided
+       by the com.redhat.oddjob_mkhomedir service. -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob_mkhomedir"
+           send_path="/"
+           send_interface="com.redhat.oddjob_mkhomedir"
+           send_member="mkmyhomedir"/>
+  </policy>
+
+</busconfig>

dbus-1/system.d/oddjob.conf

@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+  <!-- This configuration file specifies the required security policies
+       for the oddjob service to work.  It controls which requests users
+       will be allowed to issue to oddjobd over the bus, which is quite
+       different from controlling whether or not oddjobd will attempt to
+       fulfill the request. -->
+
+  <!-- Only root can own the oddjob service -->
+  <policy user="root">
+    <allow own="com.redhat.oddjob"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the quit method of the
+       com.redhat.oddjob interface implemented by the
+       /com/redhat/oddjob object provided by the
+       com.redhat.oddjob service -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob" send_path="/com/redhat/oddjob" send_interface="com.redhat.oddjob" send_member="quit"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the list method of the
+       com.redhat.oddjob interface implemented by the
+       /com/redhat/oddjob object provided by the
+       com.redhat.oddjob service -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob" send_path="/com/redhat/oddjob" send_interface="com.redhat.oddjob" send_member="list"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the listall method of the
+       com.redhat.oddjob interface implemented by the
+       /com/redhat/oddjob object provided by the
+       com.redhat.oddjob service -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob" send_path="/com/redhat/oddjob" send_interface="com.redhat.oddjob" send_member="listall"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the reload method of the
+       com.redhat.oddjob interface implemented by the
+       /com/redhat/oddjob object provided by the
+       com.redhat.oddjob service -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob" send_path="/com/redhat/oddjob" send_interface="com.redhat.oddjob" send_member="reload"/>
+  </policy>
+
+  <!-- Allow anyone to try to call the introspection methods of the
+       every object provided by the com.redhat.oddjob service -->
+  <policy context="default">
+    <allow send_destination="com.redhat.oddjob" send_interface="org.freedesktop.DBus.Introspectable"/>
+  </policy>
+
+</busconfig>

dbus-1/system.d/org.freedesktop.NetworkManager.conf

@@ -0,0 +1,111 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+    <policy user="root">
+        <allow own="org.freedesktop.NetworkManager"/>
+        <allow send_destination="org.freedesktop.NetworkManager"/>
+
+        <allow send_destination="org.freedesktop.NetworkManager"
+               send_interface="org.freedesktop.NetworkManager.PPP"/>
+
+        <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
+
+        <!-- These are there because some broken policies do
+             <deny send_interface="..." /> (see dbus-daemon(8) for details).
+             This seems to override that for the known VPN plugins.
+          -->
+        <allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
+        <allow send_destination="org.freedesktop.NetworkManager.openswan"/>
+        <allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
+        <allow send_destination="org.freedesktop.NetworkManager.pptp"/>
+        <allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
+        <allow send_destination="org.freedesktop.NetworkManager.ssh"/>
+        <allow send_destination="org.freedesktop.NetworkManager.iodine"/>
+        <allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
+        <allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
+        <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
+        <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
+        <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
+
+        <allow send_destination="org.fedoraproject.FirewallD1"/>
+
+        <!-- Allow the custom name for the dnsmasq instance spawned by NM
+             from the dns dnsmasq plugin to own its dbus name, and for
+             messages to be sent to it.
+         -->
+        <allow own="org.freedesktop.NetworkManager.dnsmasq"/>
+        <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
+    </policy>
+    <policy context="default">
+        <deny own="org.freedesktop.NetworkManager"/>
+
+        <deny send_destination="org.freedesktop.NetworkManager"/>
+
+        <!-- Basic D-Bus API stuff -->
+        <allow send_destination="org.freedesktop.NetworkManager"
+               send_interface="org.freedesktop.DBus.Introspectable"/>
+        <allow send_destination="org.freedesktop.NetworkManager"
+               send_interface="org.freedesktop.DBus.Properties"/>
+        <allow send_destination="org.freedesktop.NetworkManager"
+               send_interface="org.freedesktop.DBus.ObjectManager"/>
+
+        <!-- Devices (read-only properties, no methods) -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Team"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.WifiP2PPeer"/>
+
+        <!-- Devices (read-only, no security required) -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
+
+        <!-- Devices (read/write, secured with PolicyKit) -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.WifiP2P"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device"/>
+
+        <!-- Core stuff (read-only properties, no methods) -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.IP4Config"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.IP6Config"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
+
+        <!-- Core stuff (read/write, secured with PolicyKit) -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings"/>
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
+
+        <!-- Agents; secured with PolicyKit.  Any process can talk to
+             the AgentManager API, but only NetworkManager can talk
+             to the agents themselves. -->
+        <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.AgentManager"/>
+
+        <!-- Root-only functions -->
+        <deny send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager"          send_member="SetLogging"/>
+        <deny send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager"          send_member="Sleep"/>
+        <deny send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings" send_member="LoadConnections"/>
+        <deny send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/>
+
+        <deny own="org.freedesktop.NetworkManager.dnsmasq"/>
+        <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
+    </policy>
+
+    <limit name="max_replies_per_connection">1024</limit>
+    <limit name="max_match_rules_per_connection">2048</limit>
+</busconfig>

dbus-1/system.d/org.freedesktop.PolicyKit1.conf

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy user="polkitd">
+    <allow own="org.freedesktop.PolicyKit1"/>
+  </policy>
+
+  <policy context="default">
+    <allow send_destination="org.freedesktop.PolicyKit1"/>
+  </policy>
+
+  <!-- Allow uid 0 to send messages on the org.freedesktop.PolicyKit1.AuthenticationAgent interface -->
+  <policy user="polkitd">
+    <allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
+  </policy>
+
+</busconfig>

dbus-1/system.d/org.selinux.conf

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+  <!-- Only root can own the service -->
+  <policy user="root">
+    <allow own="org.selinux"/>
+  </policy>
+
+  <!-- Allow anyone to invoke methods on the interfaces,
+       authorization is performed by PolicyKit -->
+  <policy context="default">
+    <allow send_destination="org.selinux"/>
+  </policy>
+
+</busconfig>

dbus-1/system.d/teamd.conf

@@ -0,0 +1,12 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own_prefix="org.libteam.teamd"/>
+		<allow send_interface="org.libteam.teamd"/>
+	</policy>
+	<policy context="default">
+		<deny own_prefix="org.libteam.teamd"/>
+	</policy>
+</busconfig>