[refpolicy] Policy for Konqueror and KDE v8

From: nicky726@gmail.com (Nicky726)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Policy for Konqueror and KDE v8
Date: Tue, 14 Sep 2010 14:18:42 +0200	[thread overview]
Message-ID: <201009141418.42992.Nicky726@gmail.com> (raw)
In-Reply-To: <1284132209.1749.22.camel@jeremy-ubuntu>

Hello,

first of all thanx for comments, I have incorporated some of them and have a 
few questions to others.

Dne P? 10. z??? 2010 17:23:29 Jeremy Solt napsal(a): 
> > interface(`kde_read_home_files',`
> > 
> >         gen_require(`
> >         
> >                 type kde_home_t;
> >         
> >         ')
> >         
> >         allow $1 kde_home_t:file read_file_perms;
> >         allow $1 kde_home_t:dir list_dir_perms;
> >         userdom_search_user_home_dirs($)
> > 
> > ')
> 
> You should use read_files_pattern here, unless list is really needed.

Correct me if I am wrong, but as kde_home_t files are inside of (one or even 
more) kde_home_t directories, the list permission is needed to access them 
(directory has to be listed first).

> > # Now KDE temp stuff is created with user_tmp_t with more KDE aps
> > confined it'll have the right context. For now grant minimal necessary
> > access to usr temp
> 
> > +userdom_read_user_tmp_files(konqueror_t)
> > +userdom_write_user_tmp_files(konqueror_t)
> > +userdom_manage_user_tmp_sockets(konqueror_t)
> 
> kde_tmp_t is declared but not used in kde.te, is this the reason for
> these calls?

Well I came to feeling that the way KDE apps access temp is pretty messed up. 
There are at least two types of temp files: those only one application 
accesses and those more KDE apps access. None of those has to actually be 
there and are created by the first application which needs them. I didn't 
realised the troubles with it when developing Konqueror policy, but now as I 
try to confine KMail for my diploma paper, I've been quickly hit by them. If 
it is Konqueror, which creates shared temp files, they are labelled 
konqueror_tmp_t and KMail cannot access them. As there is no guarantee which 
application creates those files, I cannot find a way how to classify them in 
SELinux. The only working solution I came with is to use only kde_tmp_t type 
for all confined KDE apps with full rights to it and at least read/write 
access to user_tmp_t. That just doesn't feel right to me though. And moreover 
due to xserver_user_x_domain_template needs application tmp type I cannot even 
ditch the application tmp types.

If somebody sees better way out of it, I'd be glad. 

> Are you planning on submitting this for inclusion in refpolicy? If so,
> you may want to take a look at the style guide here:
> http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

Well that is definitely my long-term goal to get this policy to refpolicy, if 
you guys think that it is ready, that is. Thanx to point the Style Guide out.

Thats all for now, will send the code latter, when it is according to the Style 
Guide and when I have the recent tmp change more tested. 

Ondrej Vadinsky

-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)