* [refpolicy] Basic policy for KDE and Konqueror, third look
@ 2009-09-14 9:20 Nicky726
2009-09-16 13:31 ` Christopher J. PeBenito
0 siblings, 1 reply; 7+ messages in thread
From: Nicky726 @ 2009-09-14 9:20 UTC (permalink / raw)
To: refpolicy
Hello,
my previous post got somehow cripled by web-mail interface, so lets try it
better this time:
I incorporated to my policy most of comments by Dominick Grift and
reorganized the konqueror.te structure according to this article:
http://danwalsh.livejournal.com/14442.html, therefore I send the
policy for further comments, so I could make it better.
P.S.
There is still isue because of type_transition in
files_kde_home_filetrans() interface. Dominick Grift suggests using
manage_files_pattern instead. The problem is, that only
manage_files_pattern is not enough for it to work corretly (or I have
there some mistake). type_transition or filetrans_pattern is needed,
as konqueror_home_t files reside in kde_shared_home_t directory and
when they are rewriten, they tend to keep kde_shared_home_t type,
which is not desired. Therefor I decided to keep the
filetrans_pattern, but if anyone could think of better working
solution, I'm ready to adopt it.
P.P.S.
What steps are needed to get this policy adopted to main refpolicy?
Thanks for your time,
Ondrej Vadinsky
--
"Don't it always seem to go
That you don't know what you've got
Till it's gone."
(Joni Mitchell)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
-------------- next part --------------
## <summary>Basic kde confinement</summary>
########################################
## <summary>
## Search kde_shared_home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_search_home_dir',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read kde_shared_home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_read_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file r_file_perms;
allow $1 kde_shared_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create, read, write, and delete
## kde_shared_home files links and dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_manage_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file manage_file_perms;
allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage kde_shared_home files links and dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_manage_home',`
gen_require(`
type kde_shared_home_t;
')
manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create file, dir, links of specified type in
## kde_shared_home_t dirs with type transition
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="private type">
## <summary>
## Private type of created object
## </summary>
## </param>
#
interface(`files_kde_home_filetrans',`
gen_require(`
type kde_shared_home_t;
')
#type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
manage_files_pattern($1,kde_shared_home_t,$2)
manage_lnk_files_pattern($1,kde_shared_home_t,$2)
manage_sock_files_pattern($1,kde_shared_home_t,$2)
manage_dirs_pattern($1,kde_shared_home_t,$2)
#Filetrans needed, as the directory is of other type, than created object
filetrans_pattern($1,kde_shared_home_t,$2,{ file lnk_file sock_file dir })
')
-------------- next part --------------
policy_module(kde,0.0.7)
########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)
type kde_shared_home_t;
userdom_user_home_content(kde_shared_home_t)
-------------- next part --------------
/usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
-------------- next part --------------
## <summary>Policy for Konqueror</summary>
########################################
## <summary>
## Role access for konqueror
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
')
role $1 types konqueror_t;
konqueror_domtrans($2)
# Unrestricted inheritance from the caller.
allow konqueror_t $2:fd use;
allow konqueror_t $2:process signal_perms;
dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;
allow $2 konqueror_t:fd use;
allow $2 konqueror_t:shm { associate getattr };
allow $2 konqueror_t:shm { unix_read unix_write };
allow $2 konqueror_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
userdom_stream_connect(konqueror_t)
# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
optional_policy(`
gen_require(`
class dbus acquire_svc;
')
allow konqueror_t $2:dbus acquire_svc;
')
konqueror_dbus_chat($2)
')
########################################
## <summary>
## Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
## <summary>
## Search konqueror rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_search_home_dir',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file r_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create, read, write, and delete
## konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file manage_file_perms;
allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Send and receive messages from
## konqueror over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
')
optional_policy(`
gen_require(`
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
')
########################################
## <summary>
## All of the rules required to administrate
## an konqueror environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the konqueror domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
konqueror_manage_home($1)
optional_policy(`
kde_manage_tmp($1)
')
')
-------------- next part --------------
policy_module(konqueror,0.3)
########################################
#
# Konqueror personal declarations
#
## <desc>
## <p>
## Allow Konqueror to run bin_t because of drkonqi
## </p>
## </desc>
gen_tunable(konqueror_exec_bin_t, false)
type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
ubac_constrained(konqueror_t)
type konqueror_home_t;
userdom_user_home_content(konqueror_home_t)
type konqueror_tmp_t;
files_tmp_file(konqueror_tmp_t)
ubac_constrained(konqueror_tmp_t)
########################################
#
# Konqueror local policy
#
#
# Allow rules and patterns
#
allow konqueror_t self:fifo_file rw_file_perms; # Internal communication using fifo
allow konqueror_t self:process getsched; # get self process priority
allow konqueror_t self:tcp_socket create_stream_socket_perms;
konqueror_dbus_chat(konqueror_t) # internal comunication done by dbus
# Temp acces for konqueror
manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
konqueror_manage_home(konqueror_t) # full access to konqueror home
#
# Interfaces from kernel directory
#
# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
corecmd_dontaudit_getattr_bin_files(konqueror_t)
corecmd_dontaudit_exec_all_executables(konqueror_t)
# Access to ports
corenet_all_recvfrom_unlabeled(konqueror_t)
corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)
corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)
corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)
dev_read_urand(konqueror_t) #/dev/urandom
files_read_etc_files(konqueror_t)
files_read_usr_files(konqueror_t) #/usr
fs_getattr_xattr_fs(konqueror_t) # extended atributes support
kernel_read_system_state(konqueror_t) #/proc
#
# Interfaces from system directory
#
# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)
# Read localization and fonts
miscfiles_read_fonts(konqueror_t)
miscfiles_read_localization(konqueror_t)
sysnet_dns_name_resolve(konqueror_t)
# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
# it'll have the right context. For now grant minimal necessary access to usr temp
userdom_read_user_tmp_files(konqueror_t)
userdom_use_user_terminals(konqueror_t) #run from terminal
# To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
#
# Interfaces from other directories
#
xserver_read_xdm_tmp_files(konqueror_t)
xserver_read_user_xauth(konqueror_t)
xserver_stream_connect(konqueror_t) #connect to xserver
xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
#
# Tunable policies
#
tunable_policy(`konqueror_exec_bin_t',`
corecmd_exec_bin(konqueror_t)
')
#
# Optional policies
#
# Access to kde_shared_home_t, should be reduced in future
# Transition so that konqueror_home_files in kde_shared_home_t dir
# wouldn't switch to parent directory type
optional_policy(`
kde_manage_home_files(konqueror_t)
files_kde_home_filetrans(konqueror_t, konqueror_home_t)
')
# For testing purpouses only!
# Should be in userdomain.if
gen_require(`
type unconfined_t;
role unconfined_r;
')
konqueror_role(unconfined_r, unconfined_t)
^ permalink raw reply [flat|nested] 7+ messages in thread* [refpolicy] Basic policy for KDE and Konqueror, third look
2009-09-14 9:20 [refpolicy] Basic policy for KDE and Konqueror, third look Nicky726
@ 2009-09-16 13:31 ` Christopher J. PeBenito
2010-01-27 15:23 ` Nicky726
0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2009-09-16 13:31 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-09-14 at 11:20 +0200, Nicky726 wrote:
> Hello,
>
> my previous post got somehow cripled by web-mail interface, so lets
> try it
> better this time:
>
> I incorporated to my policy most of comments by Dominick Grift and
> reorganized the konqueror.te structure according to this article:
> http://danwalsh.livejournal.com/14442.html, therefore I send the
> policy for further comments, so I could make it better.
I have comments inline, below.
> P.S.
>
> There is still isue because of type_transition in
> files_kde_home_filetrans() interface. Dominick Grift suggests using
> manage_files_pattern instead. The problem is, that only
> manage_files_pattern is not enough for it to work corretly (or I have
> there some mistake). type_transition or filetrans_pattern is needed,
> as konqueror_home_t files reside in kde_shared_home_t directory and
> when they are rewriten, they tend to keep kde_shared_home_t type,
> which is not desired. Therefor I decided to keep the
> filetrans_pattern, but if anyone could think of better working
> solution, I'm ready to adopt it.
>
> P.P.S.
>
> What steps are needed to get this policy adopted to main refpolicy?
http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute
>
>
>
>
> plain text
> document
> attachment
> (kde.fc)
>
> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
>
Please line up the columns to make for easier reading.
>
>
>
>
>
>
> plain text
> document
> attachment
> (kde.if)
>
> ## <summary>Basic kde confinement</summary>
Please put a better summary. It should say what KDE is, not that this
is a policy for KDE.
> ########################################
> ## <summary>
> ## Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
kde_search_home()
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:dir search_dir_perms;
> files_search_rw($1)
files_search_rw() does not exist. If you intend to add it, it needs a
better name.
Please use tabs for indenting, instead of spaces.
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file r_file_perms;
Please don't use deprecated permission sets (r_file_perms).
> allow $1 kde_shared_home_t:dir list_dir_perms;
> files_search_rw($1)
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file manage_file_perms;
> allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> allow $1 kde_shared_home_t:dir rw_dir_perms;
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
>
> manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
> userdom_search_user_home_dirs($1)
> ')
Needs to be split out into manage dirs and manage symlinks interfaces.
> ########################################
> ## <summary>
> ## Create file, dir, links of specified type in
> ## kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access
> ## </summary>
> ## </param>
> ## <param name="private type">
> ## <summary>
> ## Private type of created object
> ## </summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
kde_home_filetrans()
> gen_require(`
> type kde_shared_home_t;
> ')
>
> #type_transition $1 kde_shared_home_t:{ file lnk_file
> sock_file dir } $2;
> manage_files_pattern($1,kde_shared_home_t,$2)
> manage_lnk_files_pattern($1,kde_shared_home_t,$2)
> manage_sock_files_pattern($1,kde_shared_home_t,$2)
> manage_dirs_pattern($1,kde_shared_home_t,$2)
All of these manage rules should be removed. A filetrans interface
should only have filetrans rules and, if needed, rules for searching to
the particular directory.
> #Filetrans needed, as the directory is of other type, than
> created object
> filetrans_pattern($1,kde_shared_home_t,$2,{ file lnk_file
> sock_file dir })
> ')
>
>
>
>
>
>
>
> plain text
> document
> attachment
> (kde.te)
>
>
> policy_module(kde,0.0.7)
>
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
> ubac_constrained(kde_shared_tmp_t)
>
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)
I would drop the "shared" from the type names.
>
>
>
>
>
>
> plain text
> document
> attachment
> (konqueror.fc)
>
>
> /usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
>
> HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
Please line up the columns to make for easier reading.
>
>
>
>
>
>
> plain text
> document
> attachment
> (konqueror.if)
>
> ## <summary>Policy for Konqueror</summary>
Needs a better summary.
> ########################################
> ## <summary>
> ## Role access for konqueror
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`konqueror_role',`
> gen_require(`
> type konqueror_t, konqueror_exec_t, konqueror_home_t;
> ')
>
> role $1 types konqueror_t;
>
> konqueror_domtrans($2)
> # Unrestricted inheritance from the caller.
> allow konqueror_t $2:fd use;
> allow konqueror_t $2:process signal_perms;
> dontaudit $2 konqueror_t:process { noatsecure siginh
> rlimitinh };
Does konqueror really need all this inheritance, or is this copied from
the mozilla policy?
> # Allow the user domain to signal/ps.
> ps_process_pattern($2, konqueror_t)
> allow $2 konqueror_t:process signal_perms;
>
> allow $2 konqueror_t:fd use;
> allow $2 konqueror_t:shm { associate getattr };
> allow $2 konqueror_t:shm { unix_read unix_write };
> allow $2 konqueror_t:unix_stream_socket connectto;
>
> # X access, Home files
> manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_lnk_files_pattern($2, konqueror_home_t,
> konqueror_home_t)
> relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_lnk_files_pattern($2, konqueror_home_t,
> konqueror_home_t)
>
> userdom_stream_connect(konqueror_t)
>
> # Allow konqueror to acquire dbus service from user domain and
> chat with konqueror
> # This is workaround for not yet implemented interface in dbus
> optional_policy(`
> gen_require(`
> class dbus acquire_svc;
> ')
> allow konqueror_t $2:dbus acquire_svc;
> ')
Instead of working around an unimplemented interface, an implementation
should be added.
> konqueror_dbus_chat($2)
> ')
>
> ########################################
> ## <summary>
> ## Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> gen_require(`
> type konqueror_t;
> type konqueror_exec_t;
> ')
>
> domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
>
>
> ########################################
> ## <summary>
> ## Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
konqueror_search_home()
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:dir search_dir_perms;
> files_search_rw($1)
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file r_file_perms;
deprecated permission set
> allow $1 konqueror_home_t:dir list_dir_perms;
> files_search_rw($1)
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file manage_file_perms;
> allow $1 konqueror_home_t:dir rw_dir_perms;
These two rules are manage_files_pattern()
> userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
>
> manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
> userdom_search_user_home_dirs($1)
> ')
Needs to be split out into manage_dirs and manage_symlinks interfaces.
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> gen_require(`
> type konqueror_t;
> ')
>
> optional_policy(`
> gen_require(`
> class dbus send_msg;
> ')
> allow $1 konqueror_t:dbus send_msg;
> allow konqueror_t $1:dbus send_msg;
> ')
This shouldn't be optional.
> ')
>
> ########################################
> ## <summary>
> ## All of the rules required to administrate
> ## an konqueror environment
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> ## <param name="role">
> ## <summary>
> ## The role to be allowed to manage the konqueror domain.
> ## </summary>
> ## </param>
> ## <param name="terminal">
> ## <summary>
> ## The type of the user terminal.
> ## </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> gen_require(`
> type konqueror_t;
> ')
>
> allow $1 konqueror_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, konqueror_t, konqueror_t)
>
> konqueror_manage_home($1)
>
> optional_policy(`
> kde_manage_tmp($1)
> ')
> ')
>
>
>
>
>
>
>
> plain text
> document
> attachment
> (konqueror.te)
>
>
> policy_module(konqueror,0.3)
>
> ########################################
> #
> # Konqueror personal declarations
> #
>
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
>
> gen_tunable(konqueror_exec_bin_t, false)
>
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
>
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
>
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
> ubac_constrained(konqueror_tmp_t)
>
> ########################################
> #
> # Konqueror local policy
> #
>
> #
> # Allow rules and patterns
> #
> allow konqueror_t self:fifo_file rw_file_perms; # Internal communication using fifo
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
> konqueror_dbus_chat(konqueror_t) # internal comunication done by dbus
>
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> konqueror_manage_home(konqueror_t) # full access to konqueror home
>
> #
> # Interfaces from kernel directory
> #
>
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
>
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
>
> dev_read_urand(konqueror_t) #/dev/urandom
>
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
>
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
>
> kernel_read_system_state(konqueror_t) #/proc
>
> #
> # Interfaces from system directory
> #
>
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
>
> # Read localization and fonts
> miscfiles_read_fonts(konqueror_t)
> miscfiles_read_localization(konqueror_t)
>
> sysnet_dns_name_resolve(konqueror_t)
>
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context. For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
> userdom_use_user_terminals(konqueror_t) #run from terminal
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
>
> #
> # Interfaces from other directories
> #
>
> xserver_read_xdm_tmp_files(konqueror_t)
> xserver_read_user_xauth(konqueror_t)
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
>
> #
> # Tunable policies
> #
>
> tunable_policy(`konqueror_exec_bin_t',`
> corecmd_exec_bin(konqueror_t)
> ')
>
> #
> # Optional policies
> #
>
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir
> # wouldn't switch to parent directory type
> optional_policy(`
> kde_manage_home_files(konqueror_t)
> files_kde_home_filetrans(konqueror_t, konqueror_home_t)
> ')
>
>
> # For testing purpouses only!
> # Should be in userdomain.if
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> konqueror_role(unconfined_r, unconfined_t)
This must be moved to the unconfined module. It should also be added
for the staff and user roles.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 7+ messages in thread* [refpolicy] Basic policy for KDE and Konqueror, third look
2009-09-16 13:31 ` Christopher J. PeBenito
@ 2010-01-27 15:23 ` Nicky726
2010-01-27 19:23 ` Justin P. Mattock
0 siblings, 1 reply; 7+ messages in thread
From: Nicky726 @ 2010-01-27 15:23 UTC (permalink / raw)
To: refpolicy
Hello,
here I am again after some time, with my Konqueror policy related questions. I
was too busy with the school, but by now I managed to incorporate almost all
commets by Chris PeBenito, I only need to do some testing, which is where I
got stuck again.
I've got this ugly hack just for testing purposes:
gen_require(`
type unconfined_t;
role unconfined_r;
')
konqueror_role(unconfined_r, unconfined_t)
in konqueror.te so that Konqueror is run in correct context. (work-in-progress
.if file inculeded). Problem is that, when I run Konqueror, context is not
changed, it still is unconfined...
Did I missed some revolutionary change in refpolicy or Fedora in last 4
months, which causes this, or have I some stupid mistake in my policy?
I was also trying to put this konqueror_role call somewhere, where it should
be -- not that I'm sure, where it is, as there is big difference between
refpolicy and Fedora. To make it short there is too much code for me to
follow, and too much changes in Fedora policy patches. How do the refpolicy
developpers test their policies btw?
Guess thats all for now. Thanks for your answers and patience,
Ondrej Vadinsky
--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.
(Joni Mitchell)
-------------- next part --------------
## <summary>Konqueror KDE web browser</summary>
########################################
## <summary>
## Role access for konqueror
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
')
#TODO Test what is really needed!
role $1 types konqueror_t;
konqueror_domtrans($2)
# Unrestricted inheritance from the caller.
allow konqueror_t $2:fd use;
allow konqueror_t $2:process signal_perms;
dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;
allow $2 konqueror_t:fd use;
allow $2 konqueror_t:shm { associate getattr };
allow $2 konqueror_t:shm { unix_read unix_write };
allow $2 konqueror_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
userdom_stream_connect(konqueror_t)
# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
optional_policy(`
gen_require(`
class dbus acquire_svc;
')
allow konqueror_t $2:dbus acquire_svc;
')
konqueror_dbus_chat($2)
')
########################################
## <summary>
## Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
## <summary>
## Search konqueror rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_search_home',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file read_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
manage_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t symlinks.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_symlinks',`
gen_require(`
type konqueror_home_t;
')
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_dirs',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Send and receive messages from
## konqueror over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
########################################
## <summary>
## All of the rules required to administrate
## an konqueror environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the konqueror domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
konqueror_manage_home($1)
optional_policy(`
kde_manage_tmp($1)
')
')
^ permalink raw reply [flat|nested] 7+ messages in thread* [refpolicy] Basic policy for KDE and Konqueror, third look
2010-01-27 15:23 ` Nicky726
@ 2010-01-27 19:23 ` Justin P. Mattock
2010-01-27 19:42 ` Nicky726
0 siblings, 1 reply; 7+ messages in thread
From: Justin P. Mattock @ 2010-01-27 19:23 UTC (permalink / raw)
To: refpolicy
On 01/27/10 07:23, Nicky726 wrote:
> Hello,
>
> here I am again after some time, with my Konqueror policy related questions. I
> was too busy with the school, but by now I managed to incorporate almost all
> commets by Chris PeBenito, I only need to do some testing, which is where I
> got stuck again.
>
> I've got this ugly hack just for testing purposes:
>
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> konqueror_role(unconfined_r, unconfined_t)
>
> in konqueror.te so that Konqueror is run in correct context. (work-in-progress
> .if file inculeded). Problem is that, when I run Konqueror, context is not
> changed, it still is unconfined...
>
> Did I missed some revolutionary change in refpolicy or Fedora in last 4
> months, which causes this, or have I some stupid mistake in my policy?
>
> I was also trying to put this konqueror_role call somewhere, where it should
> be -- not that I'm sure, where it is, as there is big difference between
> refpolicy and Fedora. To make it short there is too much code for me to
> follow, and too much changes in Fedora policy patches. How do the refpolicy
> developpers test their policies btw?
>
> Guess thats all for now. Thanks for your answers and patience,
> Ondrej Vadinsky
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
not sure what to do with konqueror, but in
general whats the file label in /usr/lib/*
and in the home dir..(this way other people
can see, then go from there);
Justin P. Mattock
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Basic policy for KDE and Konqueror, third look
2010-01-27 19:23 ` Justin P. Mattock
@ 2010-01-27 19:42 ` Nicky726
2010-01-27 19:47 ` Justin P. Mattock
0 siblings, 1 reply; 7+ messages in thread
From: Nicky726 @ 2010-01-27 19:42 UTC (permalink / raw)
To: refpolicy
Dne St 27. ledna 2010 20:23:47 jste napsal(a):
>
> not sure what to do with konqueror, but in
> general whats the file label in /usr/lib/*
> and in the home dir..(this way other people
> can see, then go from there);
>
> Justin P. Mattock
>
I am deeply embarrassed, I totally forgot to restore file context after loading
konqueror module. Consider this afair as my really stupid mistake.
Thanx,
Ondrej Vadinsky
--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.
(Joni Mitchell)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Basic policy for KDE and Konqueror, third look
2010-01-27 19:42 ` Nicky726
@ 2010-01-27 19:47 ` Justin P. Mattock
0 siblings, 0 replies; 7+ messages in thread
From: Justin P. Mattock @ 2010-01-27 19:47 UTC (permalink / raw)
To: refpolicy
Your human!! We've all made mistakes.
Justin P. Mattock
On Jan 27, 2010, at 11:42 AM, Nicky726 <nicky726@gmail.com> wrote:
> Dne St 27. ledna 2010 20:23:47 jste napsal(a):
>>
>> not sure what to do with konqueror, but in
>> general whats the file label in /usr/lib/*
>> and in the home dir..(this way other people
>> can see, then go from there);
>>
>> Justin P. Mattock
>>
>
> I am deeply embarrassed, I totally forgot to restore file context
> after loading
> konqueror module. Consider this afair as my really stupid mistake.
>
> Thanx,
> Ondrej Vadinsky
>
> --
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
>
> (Joni Mitchell)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Basic policy for KDE and Konqueror, third look
@ 2009-09-12 12:47 Nicky 726
0 siblings, 0 replies; 7+ messages in thread
From: Nicky 726 @ 2009-09-12 12:47 UTC (permalink / raw)
To: refpolicy
Hello,
I incorporated to my policy most of comments by Dominick Grift and
reorganized the konqueror.te structure according to this article:
http://danwalsh.livejournal.com/14442.html, therefore I send the
policy for further comments, so I could make it better.
P.S.
There is still isue because of type_transition in
files_kde_home_filetrans() interface. Dominick Grift suggests using
manage_files_pattern instead. The problem is, that only
manage_files_pattern is not enough for it to work corretly (or I have
there some mistake). type_transition or filetrans_pattern is needed,
as konqueror_home_t files reside in kde_shared_home_t directory and
when they are rewriten, they tend to keep kde_shared_home_t type,
which is not desired. Therefor I decided to keep the
filetrans_pattern, but if anyone could think of better working
solution, I'm ready to adopt it.
Thanks for your time,
Ondrej Vadinsky
--
"Don't it always seem to go
That you don't know what you've got
Till it's gone."
(Joni Mitchell)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kde.fc
Type: application/octet-stream
Size: 192 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kde.te
Type: application/octet-stream
Size: 248 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kde.if
Type: application/octet-stream
Size: 2782 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment-0002.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: konqueror.fc
Type: application/octet-stream
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment-0003.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: konqueror.te
Type: application/octet-stream
Size: 3646 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment-0004.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: konqueror.if
Type: application/octet-stream
Size: 5037 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/f2271f15/attachment-0005.obj
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-01-27 19:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-14 9:20 [refpolicy] Basic policy for KDE and Konqueror, third look Nicky726
2009-09-16 13:31 ` Christopher J. PeBenito
2010-01-27 15:23 ` Nicky726
2010-01-27 19:23 ` Justin P. Mattock
2010-01-27 19:42 ` Nicky726
2010-01-27 19:47 ` Justin P. Mattock
-- strict thread matches above, loose matches on Subject: below --
2009-09-12 12:47 Nicky 726
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.