2009-09-08 10:54:01

by nicky726

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror, 2nd look

Hello,

this is reworked version of KDE and Konqueror policies. Thanks to everyone,
who comented and especially to Dominick Grift.

Goals are to provide basics for confining of more KDE applications and to
confine Konqueror web-browser as a network accessing application. This version
aims to be more according the reference policy standards. Results are
enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.

Please comment, so that I can make the policy better.


Thanks for your time,
Ondrej Vadinsky

--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.

(Joni Mitchell)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)

-------------- next part --------------
## <summary>Basic kde confinement</summary>

########################################
## <summary>
## Search kde_shared_home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_search_home_dir',`
gen_require(`
type kde_shared_home_t;
')

allow $1 kde_shared_home_t:dir search_dir_perms;
files_search_rw($1)
')

########################################
## <summary>
## Read kde_shared_home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_read_home_files',`
gen_require(`
type kde_shared_home_t;
')

allow $1 kde_shared_home_t:file r_file_perms;
allow $1 kde_shared_home_t:dir list_dir_perms;
files_search_rw($1)
')

########################################
## <summary>
## Create, read, write, and delete
## kde_shared_home files links and dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_manage_home_files',`
gen_require(`
type kde_shared_home_t;
')

allow $1 kde_shared_home_t:file manage_file_perms;
allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
allow $1 kde_shared_home_t:dir rw_dir_perms;
')

########################################
## <summary>
## Manage kde_shared_home files links and dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kde_manage_home',`
gen_require(`
type kde_shared_home_t;
')

manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
')


########################################
## <summary>
## Create file, dir, links of specified type in
## kde_shared_home_t dirs with type transition
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="private type">
## <summary>
## Private type of created object
## </summary>
## </param>
#
interface(`files_kde_home_filetrans',`
gen_require(`
type kde_shared_home_t;
')

type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;

')
-------------- next part --------------

policy_module(kde,0.0.3)

########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)

type kde_shared_home_t;
userdom_user_home_content(kde_shared_home_t)
-------------- next part --------------

/usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)

HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)


-------------- next part --------------
## <summary>Policy for Konqueror</summary>

########################################
## <summary>
## Role access for konqueror
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
class dbus acquire_svc;
')

role $1 types konqueror_t;

#domain_auto_trans($2, konqueror_exec_t, konqueror_t)
konqueror_domtrans($2)
# Unrestricted inheritance from the caller.
allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
allow konqueror_t $2:fd use;
allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
allow konqueror_t $2:unix_stream_socket connectto;

# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
allow konqueror_t $2:dbus acquire_svc;
konqueror_dbus_chat($2)

# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;

allow $2 konqueror_t:fd use;
allow $2 konqueror_t:shm { associate getattr };
allow $2 konqueror_t:shm { unix_read unix_write };
allow $2 konqueror_t:unix_stream_socket connectto;

# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
')

########################################
## <summary>
## Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')

domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')


########################################
## <summary>
## Search konqueror rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_search_home_dir',`
gen_require(`
type konqueror_home_t;
')

allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
')

########################################
## <summary>
## Read konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')

allow $1 konqueror_home_t:file r_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
')

########################################
## <summary>
## Create, read, write, and delete
## konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')

allow $1 konqueror_home_t:file manage_file_perms;
allow $1 konqueror_home_t:dir rw_dir_perms;
')

########################################
## <summary>
## Manage konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home',`
gen_require(`
type konqueror_home_t;
')

manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
')

########################################
## <summary>
## Send and receive messages from
## konqueror over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
class dbus send_msg;
')

allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')

########################################
## <summary>
## All of the rules required to administrate
## an konqueror environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the konqueror domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')

allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)


kde_manage_tmp($1)

konqueror_manage_home($1)

')
-------------- next part --------------

policy_module(konqueror,0.2)

########################################
#
# Konqueror personal declarations
#

## <desc>
## <p>
## Allow Konqueror to run bin_t because of drkonqi
## </p>
## </desc>

gen_tunable(konqueror_exec_bin_t, false)

type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
ubac_constrained(konqueror_t)

type konqueror_home_t;
userdom_user_home_content(konqueror_home_t)

type konqueror_tmp_t;
files_tmp_file(konqueror_tmp_t)

########################################
#
# Konqueror local policy
#

# Internal communication using fifo and dbus
allow konqueror_t self:fifo_file rw_file_perms;
allow konqueror_t self:dbus send_msg;
allow konqueror_t self:process getsched; # get self process priority
allow konqueror_t self:tcp_socket create_stream_socket_perms;

# Temp acces for konqueror
manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)

# To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
# it'll have the right context
# For now grant minimal necessary access to usr temp
userdom_read_user_tmp_files(konqueror_t)

# Full access to konqueror home
konqueror_manage_home(konqueror_t)

# Access to ports
corenet_all_recvfrom_unlabeled(konqueror_t)

corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)

corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)

corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)

dev_read_urand(konqueror_t) #/dev/urandom

files_read_etc_files(konqueror_t)
files_read_usr_files(konqueror_t) #/usr

fs_getattr_xattr_fs(konqueror_t) # extended atributes support

kernel_read_system_state(konqueror_t) #/proc

# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)

# Read localization and fonts
miscfiles_read_localization(konqueror_t)
miscfiles_read_fonts(konqueror_t)

sysnet_dns_name_resolve(konqueror_t)

userdom_use_user_terminals(konqueror_t) #run from terminal

xserver_stream_connect(konqueror_t) #connect to xserver
xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver

# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
# And if user wishes, it could be allowed
corecmd_dontaudit_getattr_bin_files(konqueror_t)
corecmd_dontaudit_exec_all_executables(konqueror_t)
tunable_policy(`konqueror_exec_bin_t',`
corecmd_getattr_bin_files(konqueror_t)
corecmd_exec_bin(konqueror_t)
')

# Access to kde_shared_home_t, should be reduced in future
# Transition so that konqueror_home_files in kde_shared_home_t dir
# wouldn't switch to parent directory type
optional_policy(`
kde_manage_home_files(konqueror_t)
files_kde_home_filetrans(konqueror_t, konqueror_home_t)
')

# For testing purpouses only!
# Should be in userdom.if
gen_require(`
type unconfined_t;
role unconfined_r;
')

konqueror_role(unconfined_r, unconfined_t)


2009-09-08 11:21:13

by domg472

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror, 2nd look

On Tue, Sep 08, 2009 at 12:54:01PM +0200, Nicky726 wrote:

comments inline
> Hello,
>
> this is reworked version of KDE and Konqueror policies. Thanks to everyone,
> who comented and especially to Dominick Grift.
>
> Goals are to provide basics for confining of more KDE applications and to
> confine Konqueror web-browser as a network accessing application. This version
> aims to be more according the reference policy standards. Results are
> enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.
>
> Please comment, so that I can make the policy better.
>
>
> Thanks for your time,
> Ondrej Vadinsky
>
> --
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
>
> (Joni Mitchell)

> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
>

> ## <summary>Basic kde confinement</summary>
>
> ########################################
> ## <summary>
> ## Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:dir search_dir_perms;
> files_search_rw($1)
one needs to search $home to find kde_shared_home_t:
userdom_search_user_home_dirs($1)

> ')
>
> ########################################
> ## <summary>
> ## Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file r_file_perms;
> allow $1 kde_shared_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file manage_file_perms;
> allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
> ')
>
>
> ########################################
> ## <summary>
> ## Create file, dir, links of specified type in
> ## kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access
> ## </summary>
> ## </param>
> ## <param name="private type">
> ## <summary>
> ## Private type of created object
> ## </summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
>
> ')
This is a bad idea. processes should not type transition to type that they do not own.
use manage_files_pattern instead.
>
> policy_module(kde,0.0.3)
>
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)

>
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)

>
> /usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
>
> HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
>

> ## <summary>Policy for Konqueror</summary>
>
> ########################################
> ## <summary>
> ## Role access for konqueror
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`konqueror_role',`
> gen_require(`
> type konqueror_t, konqueror_exec_t, konqueror_home_t;
> class dbus acquire_svc;
put the dbus class in a optional_policy block so that your policy doesnt fail if there is no dbus policy installed
')
>
> role $1 types konqueror_t;
>
> #domain_auto_trans($2, konqueror_exec_t, konqueror_t)
> konqueror_domtrans($2)
> # Unrestricted inheritance from the caller.
> allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
This can probably be dontaudited
> allow konqueror_t $2:fd use;
> allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
signal_perms
> allow konqueror_t $2:unix_stream_socket connectto;
use userdom_stream_connect instead

>
> # Allow konqueror to acquire dbus service from user domain and chat with konqueror
> # This is workaround for not yet implemented interface in dbus
> allow konqueror_t $2:dbus acquire_svc;
> konqueror_dbus_chat($2)
dbus is optional_policy

>
> # Allow the user domain to signal/ps.
> ps_process_pattern($2, konqueror_t)
> allow $2 konqueror_t:process signal_perms;
>
> allow $2 konqueror_t:fd use;
> allow $2 konqueror_t:shm { associate getattr };
> allow $2 konqueror_t:shm { unix_read unix_write };
> allow $2 konqueror_t:unix_stream_socket connectto;
>
> # X access, Home files
> manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> ')
>
> ########################################
> ## <summary>
> ## Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> gen_require(`
> type konqueror_t;
> type konqueror_exec_t;
> ')
>
> domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
>
>
> ########################################
> ## <summary>
> ## Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:dir search_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file r_file_perms;
> allow $1 konqueror_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file manage_file_perms;
> allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>

> ########################################
> ## <summary>
> ## Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> gen_require(`
> type konqueror_t;
> class dbus send_msg;
> ')
>
> allow $1 konqueror_t:dbus send_msg;
> allow konqueror_t $1:dbus send_msg;
> ')
>
> ########################################
> ## <summary>
> ## All of the rules required to administrate
> ## an konqueror environment
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> ## <param name="role">
> ## <summary>
> ## The role to be allowed to manage the konqueror domain.
> ## </summary>
> ## </param>
> ## <param name="terminal">
> ## <summary>
> ## The type of the user terminal.
> ## </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> gen_require(`
> type konqueror_t;
> ')
>
> allow $1 konqueror_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, konqueror_t, konqueror_t)
>
>
> kde_manage_tmp($1)
>
> konqueror_manage_home($1)
>
> ')

>
> policy_module(konqueror,0.2)
>
> ########################################
> #
> # Konqueror personal declarations
> #
>
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
>
> gen_tunable(konqueror_exec_bin_t, false)
>
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
>
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
>
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
ubac_constrained
>
> ########################################
> #
> # Konqueror local policy
> #
>
> # Internal communication using fifo and dbus
> allow konqueror_t self:fifo_file rw_file_perms;
> allow konqueror_t self:dbus send_msg;
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
>
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context
> # For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
>
> # Full access to konqueror home
> konqueror_manage_home(konqueror_t)
>
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
>
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
>
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
>
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
>
> dev_read_urand(konqueror_t) #/dev/urandom
>
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
>
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
>
> kernel_read_system_state(konqueror_t) #/proc
>
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
>
> # Read localization and fonts
> miscfiles_read_localization(konqueror_t)
> miscfiles_read_fonts(konqueror_t)
>
> sysnet_dns_name_resolve(konqueror_t)
>
> userdom_use_user_terminals(konqueror_t) #run from terminal
>
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
>
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> # And if user wishes, it could be allowed
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> tunable_policy(`konqueror_exec_bin_t',`
> corecmd_getattr_bin_files(konqueror_t)
getattr is included in corecmd_exec_bin so can probably be removed
> corecmd_exec_bin(konqueror_t)
> ')
>
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir
> # wouldn't switch to parent directory type
> optional_policy(`
> kde_manage_home_files(konqueror_t)
> files_kde_home_filetrans(konqueror_t, konqueror_home_t)
use manage_file_pattern instead
> ')
>
> # For testing purpouses only!
> # Should be in userdom.if
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> konqueror_role(unconfined_r, unconfined_t)

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/4e1ea187/attachment-0001.bin