Thanks for your comments, I'll provide a better patch soon. In the meantime
just some notes and questions.
> > +# Temp acces for konqueror
> > +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>
> This does probably require the user to be able to manage it
What do you mean by this?
> > + konqueror_role(staff_r, staff_t)
> > +')
> > +
>
> Should probably go into userdomain (common use template), but i believe
> that for reference policy these calls are not required at all (gets
> called automatically)
>
> > + konqueror_role(user_r, user_t)
> > +')
>
> Same as above
>
> > + konqueror_role(unconfined_r, unconfined_t)
> > +')
> > +
>
> Not sure whether it is a good idea run let unconfined_t transition
Well I'm definitely confused about where to place these calls. Fedora has it
somewhere, refpolicy elsewhere. Could somebody provide explanation about it?
>
> > +HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_
> >r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_
> >r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:ob
> >ject_r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:obj
> >ect_r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r
> >:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:ko
> >nqueror_home_t,s0)
>
> Why not just kde_shared_home_t for everything in ~/.kde
>
Well, I hope this policy to be just a first step in constructing policies for
other KDE aplications, which I think should be also confined from each other,
so that e.g. a weakness in KDE browser would not endager contacts in KDE mail
client.
> > +gen_tunable(konqueror_exec_bin_t, false)
>
> This shouldnt be tunable
Hm, I made it tunable, because I didn't feel quite right to let konqueror run
bin_t just because of some bug reporting tool. Maybe that was not good idea...
Any special reasons why it sould not be tunable?
Thanx for your time,
Ondrej Vadinsk?
--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.
(Joni Mitchell)
On 01/30/2010 08:02 PM, Nicky726 wrote:
> Thanks for your comments, I'll provide a better patch soon. In the meantime
> just some notes and questions.
>
>>> +# Temp acces for konqueror
>>> +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>
>> This does probably require the user to be able to manage it
Well this content (i assume) is shared between konqueror and users. So
in that case users must be able to manage this content.
> What do you mean by this?
>
>>> + konqueror_role(staff_r, staff_t)
>>> +')
>>> +
>>
>> Should probably go into userdomain (common use template), but i believe
>> that for reference policy these calls are not required at all (gets
>> called automatically)
>>
>>> + konqueror_role(user_r, user_t)
>>> +')
Fedora calls role templates in userdom.if (the common user template)
Refpolicy (i think) uses a mechanism that automatically calls the per
role templates. So you do not have to call the template explicitly like
you do above.
>> Same as above
>>
>>> + konqueror_role(unconfined_r, unconfined_t)
>>> +')
>>> +
>>
>> Not sure whether it is a good idea run let unconfined_t transition
>
> Well I'm definitely confused about where to place these calls. Fedora has it
> somewhere, refpolicy elsewhere. Could somebody provide explanation about it?
>
>>
>>> +HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_
>>> r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_
>>> r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:ob
>>> ject_r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:obj
>>> ect_r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r
>>> :konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:ko
>>> nqueror_home_t,s0)
>>
>> Why not just kde_shared_home_t for everything in ~/.kde
>>
>
> Well, I hope this policy to be just a first step in constructing policies for
> other KDE aplications, which I think should be also confined from each other,
> so that e.g. a weakness in KDE browser would not endager contacts in KDE mail
> client.
>
I see. The issue i guess is the "filetrans_pattern". It is not in the
base module. That means you will probably use it in an optional policy
block Also you will not be able to use attributes for this type of
content properly. Other than that i agree that it is a good idea. The
problem is that refpolicy propbably will not accept it.
>>> +gen_tunable(konqueror_exec_bin_t, false)
>>
>> This shouldnt be tunable
>
> Hm, I made it tunable, because I didn't feel quite right to let konqueror run
> bin_t just because of some bug reporting tool. Maybe that was not good idea...
> Any special reasons why it sould not be tunable?
Well i think tunables should only de used for things that affect
security in significant ways. You could consider to just dontaudit it
altogether although that is not a proper solution either.
> Thanx for your time,
> Ondrej Vadinsk?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100130/89a9f587/attachment.bin