diff --git a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf index e21c57263..11adf1d79 100644 --- a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf +++ b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf @@ -7,23 +7,9 @@ <policy user="root"> <allow own="com.redhat.RHSM1"/> - <!-- Basic D-Bus API stuff --> - <allow send_destination="com.redhat.RHSM1" - send_interface="org.freedesktop.DBus.Introspectable"/> - <allow send_destination="com.redhat.RHSM1" - send_interface="org.freedesktop.DBus.Properties"/> - <allow send_destination="com.redhat.RHSM1" - send_interface="org.freedesktop.DBus.ObjectManager"/> - - <!-- allow Config.Set from root --> - <allow send_destination="com.redhat.RHSM1" - send_interface="com.redhat.RHSM1.Config" - send_member="Set"/> - </policy> - - - <policy context="default"> - <!-- TODO: make these read-only by default --> + <!-- + Lock down the objects to root access only + --> <allow send_destination="com.redhat.RHSM1" send_interface="com.redhat.RHSM1"/> @@ -37,11 +23,6 @@ <allow send_destination="com.redhat.RHSM1" send_interface="com.redhat.RHSM1.Config"/> - <!-- deny Config.Set by default --> - <deny send_destination="com.redhat.RHSM1" - send_interface="com.redhat.RHSM1.Config" - send_member="Set"/> - <allow send_destination="com.redhat.RHSM1" send_interface="com.redhat.RHSM1.RegisterServer"/> @@ -65,5 +46,54 @@ <allow send_destination="com.redhat.RHSM1" send_interface="org.freedesktop.DBus.ObjectManager"/> </policy> -</busconfig> + + <policy context="default"> + + <!-- + Non-root users can execute only methods providing + information from files readable by non-root users. + --> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Entitlement" + send_member="GetStatus"/> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Products" + send_member="ListInstalledProducts"/> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Syspurpose" + send_member="GetSyspurpose"/> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Syspurpose" + send_member="GetSyspurposeStatus"/> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Config" + send_member="GetAll"/> + + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Config" + send_member="Get"/> + + <!-- + The UUID returned by following method is read + from consumer cert. Only this file is not + readable by non-root users. + --> + <allow send_destination="com.redhat.RHSM1" + send_interface="com.redhat.RHSM1.Consumer" + send_member="GetUuid"/> + + <!-- Basic D-Bus API stuff --> + <allow send_destination="com.redhat.RHSM1" + send_interface="org.freedesktop.DBus.Introspectable"/> + <allow send_destination="com.redhat.RHSM1" + send_interface="org.freedesktop.DBus.Properties"/> + <allow send_destination="com.redhat.RHSM1" + send_interface="org.freedesktop.DBus.ObjectManager"/> + </policy> +</busconfig>