RHEL-15110: Fix issue with registration using gsd-subman

* We were too agresive, when we fixed CVE in this PR: #3317 * It is still safe to allow non-root user to create abstract socket using Start() on interface com.redhat.RHSM1.RegisterServer and destroy it later using Stop(). This abstract socket could be later used by root user for calling e.g. Register() on interface com.redhat.RHSM1.Register. This is way how it works for gsd-subman (run by non-root user) and gsd-subman-helper (run by root user).
candlepin · Oct 31, 2023 · 389ca1f · 389ca1f
1 parent ce67ec6
commit 389ca1f
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
@@ -79,6 +79,21 @@
             send_interface="com.redhat.RHSM1.Config"
             send_member="Get"/>
 
+        <!--
+        Non-root user can create abstract socket with Start()
+        method and only root user or user with same UID can
+        use this socket. Only root user can use such socket
+        for calling Register() on interface
+        com.redhat.RHSM1.Register
+        -->
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.RegisterServer"
+            send_member="Start"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.RegisterServer"
+            send_member="Stop"/>
+
         <!--
         The UUID returned by following method is read
         from consumer cert. Only this file is not