This is a minimal patch that I am testing to support Apache OpenOffice
with its own module.
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.fc | 30 ++++++++++++
policy/modules/contrib/openoffice.if | 48 ++++++++++++++++++++
policy/modules/contrib/openoffice.te | 83 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/xserver.if | 19 ++++++++
policy/modules/system/libraries.fc | 2
8 files changed, 194 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-25 23:24:38.338111736 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regcomp.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/startup.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uno.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-25 23:24:38.339111745 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-25 23:27:00.726425482 +0100
@@ -0,0 +1,83 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:udp_socket create_socket_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+rw_fifo_files_pattern(ooffice_t, ooffice_t, ooffice_t)
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_read_config(ooffice_t)
+
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_search_user_home_content(ooffice_t)
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-25 23:24:38.339111745 +0100
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-25 23:24:38.340111754 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-25 23:24:38.340111754 +0100
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-25 23:24:38.338111736 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-25 23:24:38.338111736 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> This is a minimal patch that I am testing to support Apache OpenOffice
> with its own module.
>
> The file contexts (and initial tests) are based on the default
> installation path for version 4 of the office suite.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/openoffice.fc | 30 ++++++++++++
> policy/modules/contrib/openoffice.if | 48 ++++++++++++++++++++
> policy/modules/contrib/openoffice.te | 83 +++++++++++++++++++++++++++++++++++
> policy/modules/roles/staff.te | 4 +
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/roles/unprivuser.te | 4 +
> policy/modules/services/xserver.if | 19 ++++++++
> policy/modules/system/libraries.fc | 2
> 8 files changed, 194 insertions(+)
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-25 23:24:38.338111736 +0100
> @@ -0,0 +1,30 @@
> +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
> +
> +/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/gnome-open-url.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regcomp.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/spadmin.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/startup.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/uno.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unopkg.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
escape the periods consistently to avoid regex confusion
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-25 23:24:38.339111745 +0100
> @@ -0,0 +1,48 @@
> +## <summary>Openoffice suite.</summary>
> +
> +############################################################
> +## <summary>
> +## Role access for openoffice.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_role',`
> + gen_require(`
> + attribute_role ooffice_roles;
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + roleattribute $1 ooffice_roles;
> +
> + domtrans_pattern($2, ooffice_exec_t, ooffice_t)
> +
> + allow $2 ooffice_t:process { ptrace signal_perms };
> + ps_process_pattern($2, ooffice_t)
> +')
> +
> +########################################
> +## <summary>
> +## Run openoffice in its own domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_domtrans',`
> + gen_require(`
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + domtrans_pattern($1, ooffice_exec_t, ooffice_t)
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-25 23:27:00.726425482 +0100
> @@ -0,0 +1,83 @@
> +policy_module(openoffice, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +attribute_role ooffice_roles;
> +
> +type ooffice_t;
> +type ooffice_exec_t;
> +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
> +role ooffice_roles types ooffice_t;
> +
> +type ooffice_home_t;
> +userdom_user_home_content(ooffice_home_t)
> +
> +type ooffice_tmp_t;
> +files_tmp_file(ooffice_tmp_t)
> +
> +##############################
> +#
> +# Openoffice local policy
> +#
> +
> +allow ooffice_t self:process { execmem signal };
> +allow ooffice_t self:shm create_shm_perms;
> +allow ooffice_t self:udp_socket create_socket_perms;
the above indicated that it is probably an nss client (auth_use_nsswitch())
> +allow ooffice_t self:unix_stream_socket connectto;
> +
> +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
> +allow ooffice_t ooffice_home_t:file manage_file_perms;
> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
lacking a auto type transition rule (userdom_user_home_dir_filetrans())
> +
> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
> +
> +rw_fifo_files_pattern(ooffice_t, ooffice_t, ooffice_t)
allow ooffice_t self rw_fifo_file_perms; (there are no dirs with type
ooffice_t other than the ones in /proc)
> +
> +can_exec(ooffice_t, ooffice_exec_t)
> +
> +corecmd_exec_bin(ooffice_t)
> +corecmd_exec_shell(ooffice_t)
> +
> +dev_read_sysfs(ooffice_t)
> +dev_read_urand(ooffice_t)
> +
> +files_read_etc_files(ooffice_t)
> +files_read_usr_files(ooffice_t)
> +
> +fs_getattr_xattr_fs(ooffice_t)
> +
> +miscfiles_read_fonts(ooffice_t)
> +miscfiles_read_localization(ooffice_t)
> +
> +sysnet_read_config(ooffice_t)
this is also part of the nss client stuff i mentioned above. Looks like
it is getting ready to do some dns resolving
> +
> +userdom_manage_user_home_content_dirs(ooffice_t)
> +userdom_manage_user_home_content_files(ooffice_t)
> +userdom_manage_user_home_content_symlinks(ooffice_t)
> +userdom_search_user_home_content(ooffice_t)
redundant because the first three already provide the functionality that
the fourth provides.
> +
> +optional_policy(`
> + cups_read_config(ooffice_t)
> + cups_stream_connect(ooffice_t)
> +')
> +
> +optional_policy(`
> + dbus_all_session_bus_client(ooffice_t)
> +')
> +
> +optional_policy(`
> + hostname_exec(ooffice_t)
> +')
> +
> +optional_policy(`
> + xserver_read_user_iceauth(ooffice_t)
> + xserver_read_user_xauth(ooffice_t)
> + xserver_read_xdm_tmp_files(ooffice_t)
> + xserver_stream_connect(ooffice_t)
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-25 23:24:38.339111745 +0100
> @@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + ooffice_role(staff_r, staff_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(staff_r, staff_t)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-25 23:24:38.340111754 +0100
> @@ -721,6 +721,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ooffice_role(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
> openct_admin(sysadm_t, sysadm_r)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-25 23:24:38.340111754 +0100
> @@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + ooffice_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> postgresql_role(user_r, user_t)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-25 23:24:38.338111736 +0100
> @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
>
> ########################################
> ## <summary>
> +## Read all users .ICEauthority.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_read_user_iceauth',`
> + gen_require(`
> + type iceauth_home_t;
> + ')
> +
> + allow $1 iceauth_home_t:file read_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the X windows console named pipes.
> ## </summary>
> ## <param name="domain">
> diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
> --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
> +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-25 23:24:38.338111736 +0100
> @@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
> /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
>
> +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
> +
> /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> # despite the extensions, they are actually libs
> /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
I am personally of the opinion that this module probably will not cut it
in the end. Basically because it's too limited, especially considering
that it uses dbus.
However i will leave that judgement to others, and instead i stick to
shallow reviewing, ignoring any issue of structure that i see.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161126/00a88905/attachment.bin
This is a minimal patch that I am testing to support Apache OpenOffice
with its own module.
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
This second version includes revisions from Dominick Grift.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.fc | 30 ++++++++++++
policy/modules/contrib/openoffice.if | 48 ++++++++++++++++++++
policy/modules/contrib/openoffice.te | 81 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/xserver.if | 19 ++++++++
policy/modules/system/libraries.fc | 2
8 files changed, 192 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-26 15:26:20.200580983 +0100
@@ -0,0 +1,81 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, { dir file lnk_file })
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+auth_use_nsswitch(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
Hello,
thanks very much for the revision. I have now posted a second version
of the patch...
On Sat, 26/11/2016 at 14.53 +0100, Dominick Grift via refpolicy wrote:
> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> >
> > This is a minimal patch that I am testing to support Apache
> > OpenOffice
> > with its own module.
> >
> > The file contexts (and initial tests) are based on the default
> > installation path for version 4 of the office suite.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/openoffice.fc |???30 ++++++++++++
> > ?policy/modules/contrib/openoffice.if |???48 ++++++++++++++++++++
> > ?policy/modules/contrib/openoffice.te |???83
> > +++++++++++++++++++++++++++++++++++
> > ?policy/modules/roles/staff.te????????|????4 +
> > ?policy/modules/roles/sysadm.te???????|????4 +
> > ?policy/modules/roles/unprivuser.te???|????4 +
> > ?policy/modules/services/xserver.if???|???19 ++++++++
> > ?policy/modules/system/libraries.fc???|????2
> > ?8 files changed, 194 insertions(+)
> >
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.fc refpolicy-git-
> > 25112016/policy/modules/contrib/openoffice.fc
> > --- refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.fc 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
> > 2016-11-25 23:24:38.338111736 +0100
> > @@ -0,0 +1,30 @@
> > +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:o
> > office_home_t,s0)
> > +
> > +/opt/openoffice4/program/cde-open-url -- gen
> > _context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/gnome-open-url -- g
> > en_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/gnome-open-url.bin -- gen_c
> > ontext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/javaldx -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/kde-open-url -- gen
> > _context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/open-url -- gen_con
> > text(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/pagein -- g
> > en_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/regcomp.bin -- gen_
> > context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/regmerge -- gen_con
> > text(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/regview -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/sbase -- ge
> > n_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/scalc -- ge
> > n_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/sdraw -- ge
> > n_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/senddoc -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/simpress -- gen_con
> > text(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/smath -- ge
> > n_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/soffice -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/soffice\.bin -- gen
> > _context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/spadmin -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/spadmin.bin -- gen_
> > context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/startup.sh -- gen_c
> > ontext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/swriter -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/uno.bin -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/unoinfo -- gen_cont
> > ext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/unopkg -- g
> > en_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/unopkg.bin -- gen_c
> > ontext(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/unpack_update -- ge
> > n_context(system_u:object_r:ooffice_exec_t,s0)
> > +/opt/openoffice4/program/uri-encode -- gen_c
> > ontext(system_u:object_r:ooffice_exec_t,s0)
>
> escape the periods consistently to avoid regex confusion
>
> >
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.if refpolicy-git-
> > 25112016/policy/modules/contrib/openoffice.if
> > --- refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.if 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> > 2016-11-25 23:24:38.339111745 +0100
> > @@ -0,0 +1,48 @@
> > +## <summary>Openoffice suite.</summary>
> > +
> > +############################################################
> > +## <summary>
> > +## Role access for openoffice.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ooffice_role',`
> > + gen_require(`
> > + attribute_role ooffice_roles;
> > + type ooffice_t, ooffice_exec_t;
> > +????????')
> > +
> > + roleattribute $1 ooffice_roles;
> > +
> > + domtrans_pattern($2, ooffice_exec_t, ooffice_t)
> > +
> > + allow $2 ooffice_t:process { ptrace signal_perms };
> > + ps_process_pattern($2, ooffice_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Run openoffice in its own domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ooffice_domtrans',`
> > + gen_require(`
> > + type ooffice_t, ooffice_exec_t;
> > + ')
> > +
> > + domtrans_pattern($1, ooffice_exec_t, ooffice_t)
> > +')
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.te refpolicy-git-
> > 25112016/policy/modules/contrib/openoffice.te
> > --- refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.te 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te
> > 2016-11-25 23:27:00.726425482 +0100
> > @@ -0,0 +1,83 @@
> > +policy_module(openoffice, 1.0.0)
> > +
> > +##############################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role ooffice_roles;
> > +
> > +type ooffice_t;
> > +type ooffice_exec_t;
> > +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
> > +role ooffice_roles types ooffice_t;
> > +
> > +type ooffice_home_t;
> > +userdom_user_home_content(ooffice_home_t)
> > +
> > +type ooffice_tmp_t;
> > +files_tmp_file(ooffice_tmp_t)
> > +
> > +##############################
> > +#
> > +# Openoffice local policy
> > +#
> > +
> > +allow ooffice_t self:process { execmem signal };
> > +allow ooffice_t self:shm create_shm_perms;
> > +allow ooffice_t self:udp_socket create_socket_perms;
>
> the above indicated that it is probably an nss client
> (auth_use_nsswitch())
>
> >
> > +allow ooffice_t self:unix_stream_socket connectto;
> > +
> > +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
> > +allow ooffice_t ooffice_home_t:file manage_file_perms;
> > +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
>
> lacking a auto type transition rule
> (userdom_user_home_dir_filetrans())
>
> >
> > +
> > +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> > +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> > +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> > +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file
> > })
> > +
> > +rw_fifo_files_pattern(ooffice_t, ooffice_t, ooffice_t)
>
> allow ooffice_t self rw_fifo_file_perms; (there are no dirs with type
> ooffice_t other than the ones in /proc)
>
> >
> > +
> > +can_exec(ooffice_t, ooffice_exec_t)
> > +
> > +corecmd_exec_bin(ooffice_t)
> > +corecmd_exec_shell(ooffice_t)
> > +
> > +dev_read_sysfs(ooffice_t)
> > +dev_read_urand(ooffice_t)
> > +
> > +files_read_etc_files(ooffice_t)
> > +files_read_usr_files(ooffice_t)
> > +
> > +fs_getattr_xattr_fs(ooffice_t)
> > +
> > +miscfiles_read_fonts(ooffice_t)
> > +miscfiles_read_localization(ooffice_t)
> > +
> > +sysnet_read_config(ooffice_t)
>
> this is also part of the nss client stuff i mentioned above. Looks
> like
> it is getting ready to do some dns resolving
>
> >
> > +
> > +userdom_manage_user_home_content_dirs(ooffice_t)
> > +userdom_manage_user_home_content_files(ooffice_t)
> > +userdom_manage_user_home_content_symlinks(ooffice_t)
> > +userdom_search_user_home_content(ooffice_t)
>
> redundant because the first three already provide the functionality
> that
> the fourth provides.
>
> >
> > +
> > +optional_policy(`
> > + cups_read_config(ooffice_t)
> > + cups_stream_connect(ooffice_t)
> > +')
> > +
> > +optional_policy(`
> > + dbus_all_session_bus_client(ooffice_t)
> > +')
> > +
> > +optional_policy(`
> > + hostname_exec(ooffice_t)
> > +')
> > +
> > +optional_policy(`
> > + xserver_read_user_iceauth(ooffice_t)
> > + xserver_read_user_xauth(ooffice_t)
> > + xserver_read_xdm_tmp_files(ooffice_t)
> > + xserver_stream_connect(ooffice_t)
> > +')
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/roles/staff.te refpolicy-git-
> > 25112016/policy/modules/roles/staff.te
> > --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te
> > 2016-10-29 16:29:13.453156183 +0200
> > +++ refpolicy-git-25112016/policy/modules/roles/staff.te 201
> > 6-11-25 23:24:38.339111745 +0100
> > @@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
> > ? ')
> > ?
> > ? optional_policy(`
> > + ooffice_role(staff_r, staff_t)
> > + ')
> > +
> > + optional_policy(`
> > ? pyzor_role(staff_r, staff_t)
> > ? ')
> > ?
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/roles/sysadm.te refpolicy-git-
> > 25112016/policy/modules/roles/sysadm.te
> > --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te
> > 2016-10-29 16:29:13.454156211 +0200
> > +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 20
> > 16-11-25 23:24:38.340111754 +0100
> > @@ -721,6 +721,10 @@ optional_policy(`
> > ?')
> > ?
> > ?optional_policy(`
> > + ooffice_role(sysadm_r, sysadm_t)
> > +')
> > +
> > +optional_policy(`
> > ? openct_admin(sysadm_t, sysadm_r)
> > ?')
> > ?
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/roles/unprivuser.te refpolicy-git-
> > 25112016/policy/modules/roles/unprivuser.te
> > --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te
> > 2016-10-29 16:29:13.454156211 +0200
> > +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te
> > 2016-11-25 23:24:38.340111754 +0100
> > @@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
> > ? ')
> > ?
> > ? optional_policy(`
> > + ooffice_role(user_r, user_t)
> > + ')
> > +
> > + optional_policy(`
> > ? postgresql_role(user_r, user_t)
> > ? ')
> > ?
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/services/xserver.if refpolicy-git-
> > 25112016/policy/modules/services/xserver.if
> > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if
> > 2016-08-14 22:10:42.752848860 +0200
> > +++ refpolicy-git-25112016/policy/modules/services/xserver.if
> > 2016-11-25 23:24:38.338111736 +0100
> > @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
> > ?
> > ?########################################
> > ?## <summary>
> > +## Read all users .ICEauthority.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_read_user_iceauth',`
> > + gen_require(`
> > + type iceauth_home_t;
> > + ')
> > +
> > + allow $1 iceauth_home_t:file read_file_perms;
> > + userdom_search_user_home_dirs($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Set the attributes of the X windows console named pipes.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/system/libraries.fc refpolicy-git-
> > 25112016/policy/modules/system/libraries.fc
> > --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc
> > 2016-08-14 21:24:48.961382244 +0200
> > +++ refpolicy-git-25112016/policy/modules/system/libraries.fc
> > 2016-11-25 23:24:38.338111736 +0100
> > @@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
> > ?/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(sys
> > tem_u:object_r:textrel_shlib_t,s0)
> > ?/opt/(.*/)?jre/.+\.jar -- gen_contex
> > t(system_u:object_r:lib_t,s0)
> > ?
> > +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_con
> > text(system_u:object_r:lib_t,s0)
> > +
> > ?/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(syst
> > em_u:object_r:textrel_shlib_t,s0)
> > ?# despite the extensions, they are actually libs
> > ?/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api --
> > gen_context(system_u:object_r:lib_t,s0)
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
>
> I am personally of the opinion that this module probably will not cut
> it
> in the end. Basically because it's too limited, especially
> considering
> that it uses dbus.
>
> However i will leave that judgement to others, and instead i stick to
> shallow reviewing, ignoring any issue of structure that i see.
It allows to run OpenOffice4 with the Reference Policy.
It might probably be adapted to work with previous OpenOffice versions
by simply changing the file contexts.
If it proves to be limited, it can always be extended later on... At
the moment it works fine, as far as I can tell.
However, it probably needs more testing.
Regards,
Guido
Hello again...
On Sat, 26/11/2016 at 14.53 +0100, Dominick Grift via refpolicy wrote:
> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
[...]
> > +##############################
> > +#
> > +# Openoffice local policy
> > +#
> > +
> > +allow ooffice_t self:process { execmem signal };
> > +allow ooffice_t self:shm create_shm_perms;
> > +allow ooffice_t self:udp_socket create_socket_perms;
>
> the above indicated that it is probably an nss client
> (auth_use_nsswitch())
Actually, auth_use_nsswitch() is probably too permissive and not
needed, I think sysnet_dns_name_resolve() is more than enough...
So, I am probably going to change it like that.
Regards,
Guido
This is a minimal patch that I am testing to support Apache OpenOffice
with its own module.
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
It includes revisions from Dominick Grift.
This third version should correctly manage files in home directories
and allow some other functionality.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.fc | 30 +++++++++++
policy/modules/contrib/openoffice.if | 48 +++++++++++++++++
policy/modules/contrib/openoffice.te | 95 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/xserver.if | 19 +++++++
policy/modules/system/libraries.fc | 2
8 files changed, 206 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-26 17:47:04.413762421 +0100
@@ -0,0 +1,95 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+corenet_tcp_connect_http_port(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>> This is a minimal patch that I am testing to support Apache OpenOffice
>> with its own module.
>>
>> The file contexts (and initial tests) are based on the default
>> installation path for version 4 of the office suite.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
[...]
>
> I am personally of the opinion that this module probably will not cut it
> in the end. Basically because it's too limited, especially considering
> that it uses dbus.
I'm unclear what the purpose of this policy is. Users aren't going to
expect this kind of limitation. They should be able to edit whatever
their user domain has access to, i.e. the same reason vim doesn't have a
policy.
--
Chris PeBenito
Hello Christopher.
On Mon, 28/11/2016 at 20.48 -0500, Chris PeBenito via refpolicy wrote:
> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> >
> > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> > >
> > > This is a minimal patch that I am testing to support Apache
> > > OpenOffice
> > > with its own module.
> > >
> > > The file contexts (and initial tests) are based on the default
> > > installation path for version 4 of the office suite.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> [...]
> >
> >
> > I am personally of the opinion that this module probably will not
> > cut it
> > in the end. Basically because it's too limited, especially
> > considering
> > that it uses dbus.
>
> I'm unclear what the purpose of this policy is.??Users aren't going
> to?
> expect this kind of limitation.??They should be able to edit
> whatever?
> their user domain has access to, i.e. the same reason vim doesn't
> have a?
> policy.
The module aims to confine Apache OpenOffice so that it runs in its own
domain with the least privilege instead of running in the user domain
with a large set of unneeded permissions which can create
vulnerabilities, for example, if a malicious version of the application
is installed.
When using the "openoffice" module that I propose (if you give it a try
on a test system, for example), the user can manage files in his/her
own home directory and performs most, if not all, operations currently
supported by the OpenOffice suite of applications.
Other applications that are not currently confined (such as vim that
you mentioned) can be confined at a later time to achieve an increased
overall level of security (reduced attack surface, i.e. fewer security
risks / decreased probability of a successful attack).
Regards,
Guido
On 11/29/2016 02:48 AM, Chris PeBenito wrote:
> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
>> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>>> This is a minimal patch that I am testing to support Apache OpenOffice
>>> with its own module.
>>>
>>> The file contexts (and initial tests) are based on the default
>>> installation path for version 4 of the office suite.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
> [...]
>>
>> I am personally of the opinion that this module probably will not cut it
>> in the end. Basically because it's too limited, especially considering
>> that it uses dbus.
>
> I'm unclear what the purpose of this policy is. Users aren't going to
> expect this kind of limitation. They should be able to edit whatever
> their user domain has access to, i.e. the same reason vim doesn't have a
> policy.
>
vim is a text editor. open/libre office is a office suite.
I do not believe that anyone expects the latter to be able to manage
config, data and cache files.
If you want to enforce some integrity on the desktop then you have to
draw the line somewhere sometimes. I suppose that is what enforcing
integrity is all about after all...
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161129/07bf8234/attachment.bin
Hello.
On Tue, 29/11/2016 at 12.51 +0100, Dominick Grift via refpolicy wrote:
> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
> >
> > On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> > >
> > > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> > > >
> > > > This is a minimal patch that I am testing to support Apache
> > > > OpenOffice
> > > > with its own module.
> > > >
> > > > The file contexts (and initial tests) are based on the default
> > > > installation path for version 4 of the office suite.
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > [...]
> > >
> > >
> > > I am personally of the opinion that this module probably will not
> > > cut it
> > > in the end. Basically because it's too limited, especially
> > > considering
> > > that it uses dbus.
> >
> > I'm unclear what the purpose of this policy is.??Users aren't going
> > to
> > expect this kind of limitation.??They should be able to edit
> > whatever
> > their user domain has access to, i.e. the same reason vim doesn't
> > have a
> > policy.
> >
>
> vim is a text editor. open/libre office is a office suite.
>
> I do not believe that anyone expects the latter to be able to manage
> config, data and cache files.
It only reads ~/.cache and ~/.config, while it also needs to manage
~/.local/share files.
Indeed, on the system that I am using, it is confined by enforcing the
above. It works really well !
On the other hand, the patch proposed here simplifies things by
allowing it to manage the whole home directory content.
Of course, it can always be extended at a later time to enforce
stricter file permissions on the above mentioned hidden directories by
rethinking the whole desktop file contexts and security. But, as a
first step, I suppose the proposed module is enough.
> If you want to enforce some integrity on the desktop then you have to
> draw the line somewhere sometimes. I suppose that is what enforcing
> integrity is all about after all...
Regards,
Guido
On 11/29/16 06:51, Dominick Grift wrote:
> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
>> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
>>> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>>>> This is a minimal patch that I am testing to support Apache OpenOffice
>>>> with its own module.
>>>>
>>>> The file contexts (and initial tests) are based on the default
>>>> installation path for version 4 of the office suite.
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>> ---
>> [...]
>>>
>>> I am personally of the opinion that this module probably will not cut it
>>> in the end. Basically because it's too limited, especially considering
>>> that it uses dbus.
>>
>> I'm unclear what the purpose of this policy is. Users aren't going to
>> expect this kind of limitation. They should be able to edit whatever
>> their user domain has access to, i.e. the same reason vim doesn't have a
>> policy.
>>
>
> vim is a text editor. open/libre office is a office suite.
>
> I do not believe that anyone expects the latter to be able to manage
> config, data and cache files.
>
> If you want to enforce some integrity on the desktop then you have to
> draw the line somewhere sometimes. I suppose that is what enforcing
> integrity is all about after all...
In this case, what integrity is being enforced? Integrity of the user
data? That's not covered here as it can manage the user data. Maybe
not the configs, but user data is of much more consequence. It's not
preventing network access, particularly to http, so there's nothing
preventing it from sending out the user data either.
--
Chris PeBenito
On 11/30/2016 01:23 AM, Chris PeBenito wrote:
> On 11/29/16 06:51, Dominick Grift wrote:
>> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
>>> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
>>>> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>>>>> This is a minimal patch that I am testing to support Apache OpenOffice
>>>>> with its own module.
>>>>>
>>>>> The file contexts (and initial tests) are based on the default
>>>>> installation path for version 4 of the office suite.
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>> ---
>>> [...]
>>>>
>>>> I am personally of the opinion that this module probably will not
>>>> cut it
>>>> in the end. Basically because it's too limited, especially considering
>>>> that it uses dbus.
>>>
>>> I'm unclear what the purpose of this policy is. Users aren't going to
>>> expect this kind of limitation. They should be able to edit whatever
>>> their user domain has access to, i.e. the same reason vim doesn't have a
>>> policy.
>>>
>>
>> vim is a text editor. open/libre office is a office suite.
>>
>> I do not believe that anyone expects the latter to be able to manage
>> config, data and cache files.
>>
>> If you want to enforce some integrity on the desktop then you have to
>> draw the line somewhere sometimes. I suppose that is what enforcing
>> integrity is all about after all...
>
> In this case, what integrity is being enforced? Integrity of the user
> data? That's not covered here as it can manage the user data. Maybe
> not the configs, but user data is of much more consequence. It's not
> preventing network access, particularly to http, so there's nothing
> preventing it from sending out the user data either.
I would argue that in a desktop system the most sensitive data is
config, cache and data. So integrity should be enforced on this content.
(e.g.) strictly restrict access to the private types of config, data and
cache.
.gnupg is config, often it houses private key files. Only gnupg should
be able to access this file directly. this key is like your identity. It
has to be protected. .ssh is ssh-client config it might have private key
files. These are like your authentication credentials and should be
protected and only ssh client should have access to it. The
gnome-keyring data has sensitive info and should be protected. Many
configuration files have sensitive info. For example you might have your
nickserv password in .irssi/config. This should only be accessible by
irssi else it can be used to impersonate you. there are a myriad of
other sensitive files, but generally they all fall under config. cache
or data. Types on contents that a office suite shouldnt have to have
broad access to.
(generic) User data and network access have low priority. (generic) User
data is generally shared across domains. That is just its nature. So
there is little we can do with SELinux to enforce integrity there (there
is an option to implement a solution similar to the public_content_t
solution we implemented in the system space but it would probably only
be used my power users anyway). Network access well lets just say that
we have better (or at least additional) tools to control access to the
network.
To me its all about protecting config , data and cache, and to govern
who can run what, who can communicate with who etc.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161130/555f7b50/attachment.bin
Hello Christopher.
On Tue, 29/11/2016 at 19.23 -0500, Chris PeBenito via refpolicy wrote:
> On 11/29/16 06:51, Dominick Grift wrote:
> >
> > On 11/29/2016 02:48 AM, Chris PeBenito wrote:
> > >
> > > On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> > > >
> > > > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> > > > >
> > > > > This is a minimal patch that I am testing to support Apache
> > > > > OpenOffice
> > > > > with its own module.
> > > > >
> > > > > The file contexts (and initial tests) are based on the
> > > > > default
> > > > > installation path for version 4 of the office suite.
> > > > >
> > > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > > ---
> > > [...]
> > > >
> > > >
> > > > I am personally of the opinion that this module probably will
> > > > not cut it
> > > > in the end. Basically because it's too limited, especially
> > > > considering
> > > > that it uses dbus.
> > >
> > > I'm unclear what the purpose of this policy is.??Users aren't
> > > going to
> > > expect this kind of limitation.??They should be able to edit
> > > whatever
> > > their user domain has access to, i.e. the same reason vim doesn't
> > > have a
> > > policy.
> > >
> >
> > vim is a text editor. open/libre office is a office suite.
> >
> > I do not believe that anyone expects the latter to be able to
> > manage
> > config, data and cache files.
> >
> > If you want to enforce some integrity on the desktop then you have
> > to
> > draw the line somewhere sometimes. I suppose that is what enforcing
> > integrity is all about after all...
>
> In this case, what integrity is being enforced???Integrity of the
> user?
> data???That's not covered here as it can manage the user
> data.??Maybe?
> not the configs, but user data is of much more consequence.??It's
> not?
> preventing network access, particularly to http, so there's nothing?
> preventing it from sending out the user data either.
The latter is very easy to change, as a boolean can be used to
enable/disable software updates...
I can create a new version of the patch with such feature.
When all other applications are confined and ready to move on, we can
update the policy related to the management of user data (and/or
configuration).
At the moment, as a first step, it is better for usability and a
smoother transition if it inherits the ability to manage user files
from the unprivileged user domain.
Regards,
Guido
This is a minimal patch that I am testing to support Apache OpenOffice
with its own module.
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
It includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.fc | 30 +++++++++
policy/modules/contrib/openoffice.if | 48 +++++++++++++++
policy/modules/contrib/openoffice.te | 107 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 4 +
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/services/xserver.if | 19 ++++++
policy/modules/system/libraries.fc | 2
8 files changed, 218 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-30 12:26:43.119275241 +0100
@@ -0,0 +1,107 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
On 11/30/16 06:40, Guido Trentalancia via refpolicy wrote:
> This is a minimal patch that I am testing to support Apache OpenOffice
> with its own module.
>
> The file contexts (and initial tests) are based on the default
> installation path for version 4 of the office suite.
>
> It includes revisions from Dominick Grift.
>
> Since the third version it should correctly manage files in home
> directories and allow some other major functionality.
>
> The fourth version of the patch introduces a boolean to enable or
> disable software updates from the network (application and/or
> extensions).
I'm ok merging this, but it will have to be split into separate base and
contrib patches.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/openoffice.fc | 30 +++++++++
> policy/modules/contrib/openoffice.if | 48 +++++++++++++++
> policy/modules/contrib/openoffice.te | 107 +++++++++++++++++++++++++++++++++++
> policy/modules/roles/staff.te | 4 +
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/roles/unprivuser.te | 4 +
> policy/modules/services/xserver.if | 19 ++++++
> policy/modules/system/libraries.fc | 2
> 8 files changed, 218 insertions(+)
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100
> @@ -0,0 +1,30 @@
> +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
> +
> +/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
> @@ -0,0 +1,48 @@
> +## <summary>Openoffice suite.</summary>
> +
> +############################################################
> +## <summary>
> +## Role access for openoffice.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_role',`
> + gen_require(`
> + attribute_role ooffice_roles;
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + roleattribute $1 ooffice_roles;
> +
> + domtrans_pattern($2, ooffice_exec_t, ooffice_t)
> +
> + allow $2 ooffice_t:process { ptrace signal_perms };
> + ps_process_pattern($2, ooffice_t)
> +')
> +
> +########################################
> +## <summary>
> +## Run openoffice in its own domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_domtrans',`
> + gen_require(`
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + domtrans_pattern($1, ooffice_exec_t, ooffice_t)
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-30 12:26:43.119275241 +0100
> @@ -0,0 +1,107 @@
> +policy_module(openoffice, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether openoffice can
> +## download software updates from the
> +## network (application and/or
> +## extensions).
> +## </p>
> +## </desc>
> +gen_tunable(openoffice_allow_update, true)
> +
> +attribute_role ooffice_roles;
> +
> +type ooffice_t;
> +type ooffice_exec_t;
> +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
> +role ooffice_roles types ooffice_t;
> +
> +type ooffice_home_t;
> +userdom_user_home_content(ooffice_home_t)
> +
> +type ooffice_tmp_t;
> +files_tmp_file(ooffice_tmp_t)
> +
> +##############################
> +#
> +# Openoffice local policy
> +#
> +
> +allow ooffice_t self:process { execmem getsched signal };
> +allow ooffice_t self:shm create_shm_perms;
> +allow ooffice_t self:fifo_file rw_fifo_file_perms;
> +allow ooffice_t self:unix_stream_socket connectto;
> +
> +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
> +allow ooffice_t ooffice_home_t:file manage_file_perms;
> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
> +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
> +
> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
> +
> +can_exec(ooffice_t, ooffice_exec_t)
> +
> +corecmd_exec_bin(ooffice_t)
> +corecmd_exec_shell(ooffice_t)
> +
> +dev_read_sysfs(ooffice_t)
> +dev_read_urand(ooffice_t)
> +
> +files_getattr_all_dirs(ooffice_t)
> +files_getattr_all_files(ooffice_t)
> +files_getattr_all_symlinks(ooffice_t)
> +files_read_etc_files(ooffice_t)
> +files_read_usr_files(ooffice_t)
> +
> +fs_getattr_xattr_fs(ooffice_t)
> +
> +miscfiles_read_fonts(ooffice_t)
> +miscfiles_read_localization(ooffice_t)
> +
> +sysnet_dns_name_resolve(ooffice_t)
> +
> +userdom_manage_user_home_content_dirs(ooffice_t)
> +userdom_manage_user_home_content_files(ooffice_t)
> +userdom_manage_user_home_content_symlinks(ooffice_t)
> +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
> +
> +tunable_policy(`openoffice_allow_update',`
> + corenet_tcp_connect_http_port(ooffice_t)
> +')
> +
> +optional_policy(`
> + cups_read_config(ooffice_t)
> + cups_stream_connect(ooffice_t)
> +')
> +
> +optional_policy(`
> + dbus_all_session_bus_client(ooffice_t)
> +')
> +
> +optional_policy(`
> + hostname_exec(ooffice_t)
> +')
> +
> +optional_policy(`
> + java_exec(ooffice_t)
> +')
> +
> +optional_policy(`
> + mozilla_domtrans(ooffice_t)
> +')
> +
> +optional_policy(`
> + xserver_read_user_iceauth(ooffice_t)
> + xserver_read_user_xauth(ooffice_t)
> + xserver_read_xdm_tmp_files(ooffice_t)
> + xserver_stream_connect(ooffice_t)
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100
> @@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + ooffice_role(staff_r, staff_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(staff_r, staff_t)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100
> @@ -721,6 +721,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ooffice_role(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
> openct_admin(sysadm_t, sysadm_r)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
> --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100
> @@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + ooffice_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> postgresql_role(user_r, user_t)
> ')
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100
> @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
>
> ########################################
> ## <summary>
> +## Read all users .ICEauthority.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_read_user_iceauth',`
> + gen_require(`
> + type iceauth_home_t;
> + ')
> +
> + allow $1 iceauth_home_t:file read_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the X windows console named pipes.
> ## </summary>
> ## <param name="domain">
> diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
> --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
> +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
> @@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
> /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
>
> +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
> +
> /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> # despite the extensions, they are actually libs
> /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On 11/30/16 01:52, Dominick Grift wrote:
> On 11/30/2016 01:23 AM, Chris PeBenito wrote:
>> On 11/29/16 06:51, Dominick Grift wrote:
>>> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
>>>> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
>>>>> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>>>>>> This is a minimal patch that I am testing to support Apache OpenOffice
>>>>>> with its own module.
>>>>>>
>>>>>> The file contexts (and initial tests) are based on the default
>>>>>> installation path for version 4 of the office suite.
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>> [...]
>>>>>
>>>>> I am personally of the opinion that this module probably will not
>>>>> cut it
>>>>> in the end. Basically because it's too limited, especially considering
>>>>> that it uses dbus.
>>>>
>>>> I'm unclear what the purpose of this policy is. Users aren't going to
>>>> expect this kind of limitation. They should be able to edit whatever
>>>> their user domain has access to, i.e. the same reason vim doesn't have a
>>>> policy.
>>>>
>>>
>>> vim is a text editor. open/libre office is a office suite.
>>>
>>> I do not believe that anyone expects the latter to be able to manage
>>> config, data and cache files.
>>>
>>> If you want to enforce some integrity on the desktop then you have to
>>> draw the line somewhere sometimes. I suppose that is what enforcing
>>> integrity is all about after all...
>>
>> In this case, what integrity is being enforced? Integrity of the user
>> data? That's not covered here as it can manage the user data. Maybe
>> not the configs, but user data is of much more consequence. It's not
>> preventing network access, particularly to http, so there's nothing
>> preventing it from sending out the user data either.
>
> I would argue that in a desktop system the most sensitive data is
> config, cache and data. So integrity should be enforced on this content.
> (e.g.) strictly restrict access to the private types of config, data and
> cache.
>
> .gnupg is config, often it houses private key files. Only gnupg should
> be able to access this file directly. this key is like your identity. It
> has to be protected. .ssh is ssh-client config it might have private key
> files. These are like your authentication credentials and should be
> protected and only ssh client should have access to it. The
> gnome-keyring data has sensitive info and should be protected. Many
This alone is what convinces me to merge it. I still think that generic
user data is still the highest priority by many magnitudes. If I had a
copy of my tax forms or health info (or pick some other extremely
personal, sensitive document) on my system, I would be FAR angrier if
that was compromised, compared to my GPG key. GPG keys can be revoked
and passwords can be changed.
--
Chris PeBenito
On Thu, 1 Dec 2016 19:42:13 -0500
Chris PeBenito via refpolicy <[email protected]> wrote:
> This alone is what convinces me to merge it. I still think that
> generic user data is still the highest priority by many magnitudes.
> If I had a copy of my tax forms or health info (or pick some other
> extremely personal, sensitive document) on my system, I would be FAR
> angrier if that was compromised, compared to my GPG key. GPG keys
> can be revoked and passwords can be changed.
I agree, but I think protection of personal documents is something that
everyone of us needs to implement for themselves [1], because the
individual workflows and requirements differ vastly. Contrast this
with things like gnupg: There it makes sense to include a common policy
in refpol because everyone will have similar data layouts for gnupg
stuff (everything stored in ~/.gnupg/, basically) and access this data
with similar tools.
I don't really care about the proposed OpenOffice policy, as I don't
use office suites myself, but if it's merged, I expect many
discussions about stuff like "Should MUAs be allowed to access OO
documents?".
[1] For example, on my systems there's a separate user account for
online banking, and sensitive documents (mostly txt's and pdf's) are
stored under my regular user account, but with a custom SELinux type
that can only be accessed after transitioning via "newrole".
Regards,
Luis
On 12/02/2016 01:42 AM, Chris PeBenito wrote:
> On 11/30/16 01:52, Dominick Grift wrote:
>> On 11/30/2016 01:23 AM, Chris PeBenito wrote:
>>> On 11/29/16 06:51, Dominick Grift wrote:
>>>> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
>>>>> On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
>>>>>> On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
>>>>>>> This is a minimal patch that I am testing to support Apache
>>>>>>> OpenOffice
>>>>>>> with its own module.
>>>>>>>
>>>>>>> The file contexts (and initial tests) are based on the default
>>>>>>> installation path for version 4 of the office suite.
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>>> ---
>>>>> [...]
>>>>>>
>>>>>> I am personally of the opinion that this module probably will not
>>>>>> cut it
>>>>>> in the end. Basically because it's too limited, especially
>>>>>> considering
>>>>>> that it uses dbus.
>>>>>
>>>>> I'm unclear what the purpose of this policy is. Users aren't going to
>>>>> expect this kind of limitation. They should be able to edit whatever
>>>>> their user domain has access to, i.e. the same reason vim doesn't
>>>>> have a
>>>>> policy.
>>>>>
>>>>
>>>> vim is a text editor. open/libre office is a office suite.
>>>>
>>>> I do not believe that anyone expects the latter to be able to manage
>>>> config, data and cache files.
>>>>
>>>> If you want to enforce some integrity on the desktop then you have to
>>>> draw the line somewhere sometimes. I suppose that is what enforcing
>>>> integrity is all about after all...
>>>
>>> In this case, what integrity is being enforced? Integrity of the user
>>> data? That's not covered here as it can manage the user data. Maybe
>>> not the configs, but user data is of much more consequence. It's not
>>> preventing network access, particularly to http, so there's nothing
>>> preventing it from sending out the user data either.
>>
>> I would argue that in a desktop system the most sensitive data is
>> config, cache and data. So integrity should be enforced on this content.
>> (e.g.) strictly restrict access to the private types of config, data and
>> cache.
>>
>> .gnupg is config, often it houses private key files. Only gnupg should
>> be able to access this file directly. this key is like your identity. It
>> has to be protected. .ssh is ssh-client config it might have private key
>> files. These are like your authentication credentials and should be
>> protected and only ssh client should have access to it. The
>> gnome-keyring data has sensitive info and should be protected. Many
>
> This alone is what convinces me to merge it. I still think that generic
> user data is still the highest priority by many magnitudes. If I had a
> copy of my tax forms or health info (or pick some other extremely
> personal, sensitive document) on my system, I would be FAR angrier if
> that was compromised, compared to my GPG key. GPG keys can be revoked
> and passwords can be changed.
>
A copy of those faxes is probably stored on some insecure
site(s)/database(s) on the web, something you have little control over.
I agree though that generic user content is often also sensitive, but
many agents just want access to it, restricting that by default would
seriously harm experience and probably lead to situations where trying
to restrict it defaats the purpose. Instead consider encryption for this
purpose
You can say that you can revoke keys and change passwords, but do
consider that by then the harm may already have been done. And restoring
"reputation" might not be as easy as it may seem. Also remember that the
internet does not forget so easily.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161202/12b7c3d5/attachment-0001.bin
This is a minimal patch that I am testing to support Apache OpenOffice
with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
This fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/system/libraries.fc | 2 ++
5 files changed, 33 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
This is a minimal patch that I am testing to support Apache OpenOffice
with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
This fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
It should be noted that this patch can be probably adapted very
easily to also support version 3 (at least), by simply adding
duplicate file contexts (~/.openoffice.org in addition to ~/openoffice
for ooffice_home_t and /opt/openoffice.org in addition to
/opt/openoffice4 for the default installation path): however,
this has not been tested.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.fc | 30 +++++++++
policy/modules/contrib/openoffice.if | 48 +++++++++++++++
policy/modules/contrib/openoffice.te | 108 +++++++++++++++++++++++++++++++++++
3 files changed, 186 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-30 12:52:19.362253012 +0100
@@ -0,0 +1,108 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
Some questions came up to me caused by this patch:
1.) Why does OpenOffice needs all the files_getattr_all* permissions?
2.) What is the guideline whether guarding the execmem permission by a
'allow_execmem' block?
3.) What is the guideline where to put filecontexts with base types?
This patch contains the additions
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc
refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc
2016-08-14 21:24:48.961382244 +0200
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc
2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar --
gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* --
gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api --
gen_context(system_u:object_r:lib_t,s0)
lib_t is defined in libraries.te so maybe it makes sense to put the
filecontext into the belonging libraries.fc file.
But by this method the libraries.fc file (and also the corecommands.fc
one) are quite big and might contain contexts no one will ever update
or remove, because there is no obvious relationship to a module. Just
my thoughts.
Kindly Regards,
Christian G?ttsche
Hello.
On Sat, 03/12/2016 at 11.46 +0100, cgzones via refpolicy wrote:
> Some questions came up to me caused by this patch:
>
> 1.) Why does OpenOffice needs all the files_getattr_all* permissions?
It is needed, for example, to select the email application in the
options (Tools->Options->Internet->eMail). It is harmless.
> 2.) What is the guideline whether guarding the execmem permission by
> a
> 'allow_execmem' block?
The application won't start without the execmem permission, so it is
pointless to enclose it in a tunable policy block.
> 3.) What is the guideline where to put filecontexts with base types?
> This patch contains the additions
>
> diff -pruN refpolicy-git-25112016-
> orig/policy/modules/system/libraries.fc
> refpolicy-git-25112016/policy/modules/system/libraries.fc
> --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc
> ?2016-08-14 21:24:48.961382244 +0200
> +++ refpolicy-git-25112016/policy/modules/system/libraries.fc
> 2016-11-26 15:03:47.659294001 +0100
> @@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
> ?/opt/(.*/)?jre.*/.+\.so(\.[^/]*)*??????--
> gen_context(system_u:object_r:textrel_shlib_t,s0)
> ?/opt/(.*/)?jre/.+\.jar?????????????????--
> gen_context(system_u:object_r:lib_t,s0)
>
> +/opt/openoffice4/program/.+\.so(\.[^/]*)*??????--
> gen_context(system_u:object_r:lib_t,s0)
> +
> ?/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --
> gen_context(system_u:object_r:textrel_shlib_t,s0)
> ?# despite the extensions, they are actually libs
> ?/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api --
> gen_context(system_u:object_r:lib_t,s0)
>
> lib_t is defined in libraries.te so maybe it makes sense to put the
> filecontext into the belonging libraries.fc file.
> But by this method the libraries.fc file (and also the
> corecommands.fc
> one) are quite big and might contain contexts no one will ever update
> or remove, because there is no obvious relationship to a module. Just
> my thoughts.
I prefer to keep the file contexts in their proper place.
> Kindly Regards,
> ??????Christian G?ttsche
Regards,
Guido
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
This sixth version of this patch removes obsolete executable
permission from the unconfined module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/system/libraries.fc | 2 ++
policy/modules/system/unconfined.fc | 1 -
6 files changed, 33 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-12-04 14:08:03.779762377 +0100
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-12-02 15:27:20.272710161 +0100
@@ -141,6 +142,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-12-04 14:08:03.793762581 +0100
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-12-02 15:26:58.253515665 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-12-02 15:26:24.077227786 +0100
@@ -114,6 +115,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-04 14:08:26.795097338 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-12-04 14:08:03.795762611 +0100
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc refpolicy-git-25112016/policy/modules/system/unconfined.fc
--- refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc 2016-08-14 21:24:48.971382400 +0200
+++ refpolicy-git-25112016/policy/modules/system/unconfined.fc 2016-12-04 14:19:24.768673321 +0100
@@ -6,7 +6,6 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
This sixth version of the patch adds the ability to run the
evolution email application.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.if | 20 +++++
policy/modules/contrib/openoffice.fc | 30 ++++++++
policy/modules/contrib/openoffice.if | 48 ++++++++++++++
policy/modules/contrib/openoffice.te | 117 +++++++++++++++++++++++++++++++++++
4 files changed, 215 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-09-28 14:20:57.460241441 +0200
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 14:40:57.398485935 +0100
@@ -188,3 +188,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100
@@ -0,0 +1,48 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 14:59:01.626020715 +0100
@@ -0,0 +1,117 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
This seventh version brings no changes in the base part of the
patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/system/libraries.fc | 2 ++
policy/modules/system/unconfined.fc | 1 -
6 files changed, 33 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-12-04 14:08:03.779762377 +0100
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-12-02 15:27:20.272710161 +0100
@@ -141,6 +142,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-12-04 14:08:03.793762581 +0100
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-12-02 15:26:58.253515665 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-12-02 15:26:24.077227786 +0100
@@ -114,6 +115,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-04 14:08:26.795097338 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-12-04 14:08:03.795762611 +0100
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc refpolicy-git-25112016/policy/modules/system/unconfined.fc
--- refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc 2016-08-14 21:24:48.971382400 +0200
+++ refpolicy-git-25112016/policy/modules/system/unconfined.fc 2016-12-04 14:19:24.768673321 +0100
@@ -6,7 +6,6 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
This seventh version of the patch, improves the integration with
the evolution email application.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.if | 38 +++++++++++
policy/modules/contrib/evolution.te | 5 +
policy/modules/contrib/openoffice.fc | 30 ++++++++
policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++
policy/modules/contrib/openoffice.te | 118 +++++++++++++++++++++++++++++++++++
5 files changed, 258 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04 15:36:53.136278874 +0100
@@ -0,0 +1,67 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 16:05:06.872422860 +0100
@@ -0,0 +1,118 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
On 12/04/16 10:26, Guido Trentalancia via refpolicy wrote:
> This is a patch that I have created and tested to support Apache
> OpenOffice with its own module (contrib policy part, 2/2).
>
> The file contexts (and initial tests) are based on the default
> installation path for version 4 of the office suite.
>
> Since the second version it includes revisions from Dominick Grift.
>
> Since the third version it should correctly manage files in home
> directories and allow some other major functionality.
>
> The fourth version of the patch introduces a boolean to enable or
> disable software updates from the network (application and/or
> extensions).
>
> The fifth version of the patch adds the ability to connect to the
> X display manager (XDM) using Unix domain sockets (interface
> xserver_stream_connect_xdm()). Also the fifth version splits the
> whole patch into separate base policy / contrib policy patches as
> required.
>
> The sixth version of the patch adds the ability to run the
> evolution email application.
>
> This seventh version of the patch, improves the integration with
> the evolution email application.
>
> Although this patch has only been tested with Apache OpenOffice
> version 4, it might also work with earlier versions (in particular
> version 3) or at least it can be easily adapted for the purpose.
Are you still working on this? I was about to merge v6 when this appeared.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/evolution.if | 38 +++++++++++
> policy/modules/contrib/evolution.te | 5 +
> policy/modules/contrib/openoffice.fc | 30 ++++++++
> policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++
> policy/modules/contrib/openoffice.te | 118 +++++++++++++++++++++++++++++++++++
> 5 files changed, 258 insertions(+)
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100
> @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
>
> ########################################
> ## <summary>
> +## Read evolution home files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`evolution_read_evolution_home_files',`
> + gen_require(`
> + type evolution_t, evolution_home_t;
> + ')
> +
> + read_files_pattern($1, evolution_home_t, evolution_home_t)
> +')
> +
> +########################################
> +## <summary>
> ## Connect to evolution using a unix
> ## domain stream socket.
> ## </summary>
> @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
> allow $1 evolution_alarm_t:dbus send_msg;
> allow evolution_alarm_t $1:dbus send_msg;
> ')
> +
> +########################################
> +## <summary>
> +## Make a domain transition to the
> +## evolution target domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`evolution_domtrans',`
> + gen_require(`
> + type evolution_t, evolution_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, evolution_exec_t, evolution_t);
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te
> --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100
> @@ -270,6 +270,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ooffice_domtrans(evolution_t)
> + ooffice_rw_ooffice_tmp_files(evolution_t)
> +')
> +
> +optional_policy(`
> spamassassin_exec_spamd(evolution_t)
> spamassassin_domtrans_client(evolution_t)
> spamassassin_domtrans_local_client(evolution_t)
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100
> @@ -0,0 +1,30 @@
> +HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
> +
> +/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> +/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04 15:36:53.136278874 +0100
> @@ -0,0 +1,67 @@
> +## <summary>Openoffice suite.</summary>
> +
> +############################################################
> +## <summary>
> +## Role access for openoffice.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_role',`
> + gen_require(`
> + attribute_role ooffice_roles;
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + roleattribute $1 ooffice_roles;
> +
> + domtrans_pattern($2, ooffice_exec_t, ooffice_t)
> +
> + allow $2 ooffice_t:process { ptrace signal_perms };
> + ps_process_pattern($2, ooffice_t)
> +')
> +
> +########################################
> +## <summary>
> +## Run openoffice in its own domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_domtrans',`
> + gen_require(`
> + type ooffice_t, ooffice_exec_t;
> + ')
> +
> + domtrans_pattern($1, ooffice_exec_t, ooffice_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read and write temporary
> +## openoffice files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_rw_ooffice_tmp_files',`
> + gen_require(`
> + type ooffice_tmp_t;
> + ')
> +
> + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
> +')
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 16:05:06.872422860 +0100
> @@ -0,0 +1,118 @@
> +policy_module(openoffice, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether openoffice can
> +## download software updates from the
> +## network (application and/or
> +## extensions).
> +## </p>
> +## </desc>
> +gen_tunable(openoffice_allow_update, true)
> +
> +attribute_role ooffice_roles;
> +
> +type ooffice_t;
> +type ooffice_exec_t;
> +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
> +role ooffice_roles types ooffice_t;
> +
> +type ooffice_home_t;
> +userdom_user_home_content(ooffice_home_t)
> +
> +type ooffice_tmp_t;
> +files_tmp_file(ooffice_tmp_t)
> +
> +##############################
> +#
> +# Openoffice local policy
> +#
> +
> +allow ooffice_t self:process { execmem getsched signal };
> +allow ooffice_t self:shm create_shm_perms;
> +allow ooffice_t self:fifo_file rw_fifo_file_perms;
> +allow ooffice_t self:unix_stream_socket connectto;
> +
> +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
> +allow ooffice_t ooffice_home_t:file manage_file_perms;
> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
> +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
> +
> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
> +
> +can_exec(ooffice_t, ooffice_exec_t)
> +
> +corecmd_exec_bin(ooffice_t)
> +corecmd_exec_shell(ooffice_t)
> +
> +dev_read_sysfs(ooffice_t)
> +dev_read_urand(ooffice_t)
> +
> +files_getattr_all_dirs(ooffice_t)
> +files_getattr_all_files(ooffice_t)
> +files_getattr_all_symlinks(ooffice_t)
> +files_read_etc_files(ooffice_t)
> +files_read_usr_files(ooffice_t)
> +
> +fs_getattr_xattr_fs(ooffice_t)
> +
> +miscfiles_read_fonts(ooffice_t)
> +miscfiles_read_localization(ooffice_t)
> +
> +sysnet_dns_name_resolve(ooffice_t)
> +
> +userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> +userdom_manage_user_home_content_dirs(ooffice_t)
> +userdom_manage_user_home_content_files(ooffice_t)
> +userdom_manage_user_home_content_symlinks(ooffice_t)
> +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
> +
> +tunable_policy(`openoffice_allow_update',`
> + corenet_tcp_connect_http_port(ooffice_t)
> +')
> +
> +optional_policy(`
> + cups_read_config(ooffice_t)
> + cups_stream_connect(ooffice_t)
> +')
> +
> +optional_policy(`
> + dbus_all_session_bus_client(ooffice_t)
> +')
> +
> +optional_policy(`
> + evolution_domtrans(ooffice_t)
> + evolution_read_evolution_home_files(ooffice_t)
> +')
> +
> +optional_policy(`
> + hostname_exec(ooffice_t)
> +')
> +
> +optional_policy(`
> + java_exec(ooffice_t)
> +')
> +
> +optional_policy(`
> + mozilla_domtrans(ooffice_t)
> +')
> +
> +optional_policy(`
> + thunderbird_domtrans(ooffice_t)
> +')
> +
> +optional_policy(`
> + xserver_read_user_iceauth(ooffice_t)
> + xserver_read_user_xauth(ooffice_t)
> + xserver_read_xdm_tmp_files(ooffice_t)
> + xserver_stream_connect(ooffice_t)
> + xserver_stream_connect_xdm(ooffice_t)
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
You can safely merge both patches.
Thanks,
Guido
On the 4th of December 2016 18:51:44 CET, Chris PeBenito <[email protected]> ha wrote:
>On 12/04/16 10:26, Guido Trentalancia via refpolicy wrote:
>> This is a patch that I have created and tested to support Apache
>> OpenOffice with its own module (contrib policy part, 2/2).
>>
>> The file contexts (and initial tests) are based on the default
>> installation path for version 4 of the office suite.
>>
>> Since the second version it includes revisions from Dominick Grift.
>>
>> Since the third version it should correctly manage files in home
>> directories and allow some other major functionality.
>>
>> The fourth version of the patch introduces a boolean to enable or
>> disable software updates from the network (application and/or
>> extensions).
>>
>> The fifth version of the patch adds the ability to connect to the
>> X display manager (XDM) using Unix domain sockets (interface
>> xserver_stream_connect_xdm()). Also the fifth version splits the
>> whole patch into separate base policy / contrib policy patches as
>> required.
>>
>> The sixth version of the patch adds the ability to run the
>> evolution email application.
>>
>> This seventh version of the patch, improves the integration with
>> the evolution email application.
>>
>> Although this patch has only been tested with Apache OpenOffice
>> version 4, it might also work with earlier versions (in particular
>> version 3) or at least it can be easily adapted for the purpose.
>
>Are you still working on this? I was about to merge v6 when this
>appeared.
>
>
>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/evolution.if | 38 +++++++++++
>> policy/modules/contrib/evolution.te | 5 +
>> policy/modules/contrib/openoffice.fc | 30 ++++++++
>> policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++
>> policy/modules/contrib/openoffice.te | 118
>+++++++++++++++++++++++++++++++++++
>> 5 files changed, 258 insertions(+)
>>
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if
>refpolicy-git-25112016/policy/modules/contrib/evolution.if
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04
>16:02:48.317069925 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04
>16:03:37.777350810 +0100
>> @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
>>
>> ########################################
>> ## <summary>
>> +## Read evolution home files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`evolution_read_evolution_home_files',`
>> + gen_require(`
>> + type evolution_t, evolution_home_t;
>> + ')
>> +
>> + read_files_pattern($1, evolution_home_t, evolution_home_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Connect to evolution using a unix
>> ## domain stream socket.
>> ## </summary>
>> @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
>> allow $1 evolution_alarm_t:dbus send_msg;
>> allow evolution_alarm_t $1:dbus send_msg;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## Make a domain transition to the
>> +## evolution target domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`evolution_domtrans',`
>> + gen_require(`
>> + type evolution_t, evolution_exec_t;
>> + ')
>> +
>> + corecmd_search_bin($1)
>> + domtrans_pattern($1, evolution_exec_t, evolution_t);
>> +')
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te
>refpolicy-git-25112016/policy/modules/contrib/evolution.te
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04
>15:48:16.164030673 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04
>15:48:37.116534261 +0100
>> @@ -270,6 +270,11 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + ooffice_domtrans(evolution_t)
>> + ooffice_rw_ooffice_tmp_files(evolution_t)
>> +')
>> +
>> +optional_policy(`
>> spamassassin_exec_spamd(evolution_t)
>> spamassassin_domtrans_client(evolution_t)
>> spamassassin_domtrans_local_client(evolution_t)
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc
>refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04
>14:34:22.734742098 +0100
>> @@ -0,0 +1,30 @@
>>
>+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
>> +
>>
>+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if
>refpolicy-git-25112016/policy/modules/contrib/openoffice.if
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04
>15:36:53.136278874 +0100
>> @@ -0,0 +1,67 @@
>> +## <summary>Openoffice suite.</summary>
>> +
>> +############################################################
>> +## <summary>
>> +## Role access for openoffice.
>> +## </summary>
>> +## <param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +## </param>
>> +## <param name="domain">
>> +## <summary>
>> +## User domain for the role.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`ooffice_role',`
>> + gen_require(`
>> + attribute_role ooffice_roles;
>> + type ooffice_t, ooffice_exec_t;
>> + ')
>> +
>> + roleattribute $1 ooffice_roles;
>> +
>> + domtrans_pattern($2, ooffice_exec_t, ooffice_t)
>> +
>> + allow $2 ooffice_t:process { ptrace signal_perms };
>> + ps_process_pattern($2, ooffice_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Run openoffice in its own domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`ooffice_domtrans',`
>> + gen_require(`
>> + type ooffice_t, ooffice_exec_t;
>> + ')
>> +
>> + domtrans_pattern($1, ooffice_exec_t, ooffice_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Read and write temporary
>> +## openoffice files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`ooffice_rw_ooffice_tmp_files',`
>> + gen_require(`
>> + type ooffice_tmp_t;
>> + ')
>> +
>> + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
>> +')
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te
>refpolicy-git-25112016/policy/modules/contrib/openoffice.te
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04
>16:05:06.872422860 +0100
>> @@ -0,0 +1,118 @@
>> +policy_module(openoffice, 1.0.0)
>> +
>> +##############################
>> +#
>> +# Declarations
>> +#
>> +
>> +## <desc>
>> +## <p>
>> +## Determine whether openoffice can
>> +## download software updates from the
>> +## network (application and/or
>> +## extensions).
>> +## </p>
>> +## </desc>
>> +gen_tunable(openoffice_allow_update, true)
>> +
>> +attribute_role ooffice_roles;
>> +
>> +type ooffice_t;
>> +type ooffice_exec_t;
>> +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
>> +role ooffice_roles types ooffice_t;
>> +
>> +type ooffice_home_t;
>> +userdom_user_home_content(ooffice_home_t)
>> +
>> +type ooffice_tmp_t;
>> +files_tmp_file(ooffice_tmp_t)
>> +
>> +##############################
>> +#
>> +# Openoffice local policy
>> +#
>> +
>> +allow ooffice_t self:process { execmem getsched signal };
>> +allow ooffice_t self:shm create_shm_perms;
>> +allow ooffice_t self:fifo_file rw_fifo_file_perms;
>> +allow ooffice_t self:unix_stream_socket connectto;
>> +
>> +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
>> +allow ooffice_t ooffice_home_t:file manage_file_perms;
>> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
>> +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir,
>".openoffice")
>> +
>> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file
>})
>> +
>> +can_exec(ooffice_t, ooffice_exec_t)
>> +
>> +corecmd_exec_bin(ooffice_t)
>> +corecmd_exec_shell(ooffice_t)
>> +
>> +dev_read_sysfs(ooffice_t)
>> +dev_read_urand(ooffice_t)
>> +
>> +files_getattr_all_dirs(ooffice_t)
>> +files_getattr_all_files(ooffice_t)
>> +files_getattr_all_symlinks(ooffice_t)
>> +files_read_etc_files(ooffice_t)
>> +files_read_usr_files(ooffice_t)
>> +
>> +fs_getattr_xattr_fs(ooffice_t)
>> +
>> +miscfiles_read_fonts(ooffice_t)
>> +miscfiles_read_localization(ooffice_t)
>> +
>> +sysnet_dns_name_resolve(ooffice_t)
>> +
>> +userdom_dontaudit_exec_user_home_content_files(ooffice_t)
>> +userdom_manage_user_home_content_dirs(ooffice_t)
>> +userdom_manage_user_home_content_files(ooffice_t)
>> +userdom_manage_user_home_content_symlinks(ooffice_t)
>> +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir
>file lnk_file fifo_file sock_file })
>> +
>> +tunable_policy(`openoffice_allow_update',`
>> + corenet_tcp_connect_http_port(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + cups_read_config(ooffice_t)
>> + cups_stream_connect(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + dbus_all_session_bus_client(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + evolution_domtrans(ooffice_t)
>> + evolution_read_evolution_home_files(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + hostname_exec(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + java_exec(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + mozilla_domtrans(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + thunderbird_domtrans(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> + xserver_read_user_iceauth(ooffice_t)
>> + xserver_read_user_xauth(ooffice_t)
>> + xserver_read_xdm_tmp_files(ooffice_t)
>> + xserver_stream_connect(ooffice_t)
>> + xserver_stream_connect_xdm(ooffice_t)
>> +')
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh and eighth versions brings no changes in the base part
of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/system/libraries.fc | 2 ++
policy/modules/system/unconfined.fc | 1 -
6 files changed, 33 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-12-04 14:08:03.779762377 +0100
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-12-02 15:27:20.272710161 +0100
@@ -141,6 +142,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-12-04 14:08:03.793762581 +0100
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-12-02 15:26:58.253515665 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-12-02 15:26:24.077227786 +0100
@@ -114,6 +115,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-04 14:08:26.795097338 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-12-04 14:08:03.795762611 +0100
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc refpolicy-git-25112016/policy/modules/system/unconfined.fc
--- refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc 2016-08-14 21:24:48.971382400 +0200
+++ refpolicy-git-25112016/policy/modules/system/unconfined.fc 2016-12-04 14:19:24.768673321 +0100
@@ -6,7 +6,6 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
The seventh version of the patch, improves the integration with
the evolution email application.
This eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.if | 38 ++++++++++
policy/modules/contrib/evolution.te | 5 +
policy/modules/contrib/mozilla.te | 5 +
policy/modules/contrib/openoffice.fc | 30 ++++++++
policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++
policy/modules/contrib/openoffice.te | 118 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/thunderbird.te | 5 +
7 files changed, 268 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te refpolicy-git-25112016/policy/modules/contrib/mozilla.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te 2016-10-29 16:29:19.667325422 +0200
+++ refpolicy-git-25112016/policy/modules/contrib/mozilla.te 2016-12-05 11:54:30.093537472 +0100
@@ -296,6 +296,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
pulseaudio_rw_tmpfs_files(mozilla_t)
pulseaudio_use_fds(mozilla_t)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04 15:36:53.136278874 +0100
@@ -0,0 +1,67 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 16:05:06.872422860 +0100
@@ -0,0 +1,118 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te refpolicy-git-25112016/policy/modules/contrib/thunderbird.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te 2016-08-14 21:28:11.582520957 +0200
+++ refpolicy-git-25112016/policy/modules/contrib/thunderbird.te 2016-12-05 11:54:45.292543263 +0100
@@ -166,3 +166,8 @@ optional_policy(`
mozilla_read_user_home_files(thunderbird_t)
mozilla_domtrans(thunderbird_t)
')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/system/libraries.fc | 2 ++
policy/modules/system/unconfined.fc | 1 -
6 files changed, 33 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te
--- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-12-04 14:08:03.779762377 +0100
+++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-12-02 15:27:20.272710161 +0100
@@ -141,6 +142,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te
--- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-12-04 14:08:03.793762581 +0100
+++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-12-02 15:26:58.253515665 +0100
@@ -721,6 +721,10 @@ optional_policy(`
')
optional_policy(`
+ ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te
--- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-12-02 15:26:24.077227786 +0100
@@ -114,6 +115,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ ooffice_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-04 14:08:03.794762596 +0100
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-04 14:08:26.795097338 +0100
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
########################################
## <summary>
+## Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ allow $1 iceauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc
--- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-12-04 14:08:03.795762611 +0100
+++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc refpolicy-git-25112016/policy/modules/system/unconfined.fc
--- refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc 2016-08-14 21:24:48.971382400 +0200
+++ refpolicy-git-25112016/policy/modules/system/unconfined.fc 2016-12-04 14:19:24.768673321 +0100
@@ -6,7 +6,6 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
The seventh version of the patch, improves the integration with
the evolution email application.
The eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.
This nineth version of the patch, avoids auditing some denial
messages.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.if | 38 ++++++++++
policy/modules/contrib/evolution.te | 5 +
policy/modules/contrib/mozilla.te | 5 +
policy/modules/contrib/openoffice.fc | 30 ++++++++
policy/modules/contrib/openoffice.if | 88 ++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/thunderbird.te | 5 +
7 files changed, 291 insertions(+)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te refpolicy-git-25112016/policy/modules/contrib/mozilla.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te 2016-10-29 16:29:19.667325422 +0200
+++ refpolicy-git-25112016/policy/modules/contrib/mozilla.te 2016-12-05 11:54:30.093537472 +0100
@@ -296,6 +296,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
pulseaudio_rw_tmpfs_files(mozilla_t)
pulseaudio_use_fds(mozilla_t)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-06 21:27:07.252411657 +0100
@@ -0,0 +1,88 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-06 17:15:20.808003319 +0100
@@ -0,0 +1,120 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te refpolicy-git-25112016/policy/modules/contrib/thunderbird.te
--- refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te 2016-08-14 21:28:11.582520957 +0200
+++ refpolicy-git-25112016/policy/modules/contrib/thunderbird.te 2016-12-05 11:54:45.292543263 +0100
@@ -166,3 +166,8 @@ optional_policy(`
mozilla_read_user_home_files(thunderbird_t)
mozilla_domtrans(thunderbird_t)
')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')
On 12/06/16 15:41, Guido Trentalancia via refpolicy wrote:
> This is a patch that I have created and tested to support Apache
> OpenOffice with its own module (contrib policy part, 2/2).
>
> The file contexts (and initial tests) are based on the default
> installation path for version 4 of the office suite.
>
> Since the second version it includes revisions from Dominick Grift.
>
> Since the third version it should correctly manage files in home
> directories and allow some other major functionality.
>
> The fourth version of the patch introduces a boolean to enable or
> disable software updates from the network (application and/or
> extensions).
>
> The fifth version of the patch adds the ability to connect to the
> X display manager (XDM) using Unix domain sockets (interface
> xserver_stream_connect_xdm()). Also the fifth version splits the
> whole patch into separate base policy / contrib policy patches as
> required.
>
> The sixth version of the patch adds the ability to run the
> evolution email application.
>
> The seventh version of the patch, improves the integration with
> the evolution email application.
>
> The eighth version of the patch, adds the support for integration
> with mozilla and improves the integration with thunderbird.
>
> This nineth version of the patch, avoids auditing some denial
> messages.
>
> All released versions are safe to apply, each new version just
> brings improved application functionality and better integration
> with other desktop applications.
>
> Although this patch has only been tested with Apache OpenOffice
> version 4, it might also work with earlier versions (in particular
> version 3) or at least it can be easily adapted for the purpose.
I've merged this, but I'd like a couple interface renames (noted below).
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/evolution.if | 38 ++++++++++
> policy/modules/contrib/evolution.te | 5 +
> policy/modules/contrib/mozilla.te | 5 +
> policy/modules/contrib/openoffice.fc | 30 ++++++++
> policy/modules/contrib/openoffice.if | 88 ++++++++++++++++++++++++
> policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++
> policy/modules/contrib/thunderbird.te | 5 +
> 7 files changed, 291 insertions(+)
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100
> @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
>
> ########################################
> ## <summary>
> +## Read evolution home files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`evolution_read_evolution_home_files',`
evolution_read_home_files().
> + gen_require(`
> + type evolution_t, evolution_home_t;
> + ')
> +
> + read_files_pattern($1, evolution_home_t, evolution_home_t)
> +')
> +
> +########################################
> +## <summary>
> ## Connect to evolution using a unix
> ## domain stream socket.
> ## </summary>
[...]
> diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100
> +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-06 21:27:07.252411657 +0100
[...]
> +
> +########################################
> +## <summary>
> +## Read and write temporary
> +## openoffice files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_rw_ooffice_tmp_files',`
ooffice_rw_tmp_files()
> + gen_require(`
> + type ooffice_tmp_t;
> + ')
> +
> + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to execute
> +## files in temporary directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_dontaudit_exec_tmp_files',`
> + gen_require(`
> + type ooffice_tmp_t;
> + ')
> +
> + dontaudit $1 ooffice_tmp_t:file exec_file_perms;
> +')
--
Chris PeBenito
Hello Christopher,
thanks very much for applying this patch !
On Tue, 06/12/2016 at 20.23 -0500, Chris PeBenito wrote:
> On 12/06/16 15:41, Guido Trentalancia via refpolicy wrote:
> >
> > This is a patch that I have created and tested to support Apache
> > OpenOffice with its own module (contrib policy part, 2/2).
[...]
> I've merged this, but I'd like a couple interface renames (noted
> below).
I have created a small patch to rename the two interfaces as you
suggest. I just hope there will not be any collision with future
interfaces that access raw tmp files...
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/evolution.if???|???38 ++++++++++
> > ?policy/modules/contrib/evolution.te???|????5 +
> > ?policy/modules/contrib/mozilla.te?????|????5 +
> > ?policy/modules/contrib/openoffice.fc??|???30 ++++++++
> > ?policy/modules/contrib/openoffice.if??|???88
> > ++++++++++++++++++++++++
> > ?policy/modules/contrib/openoffice.te??|??120
> > ++++++++++++++++++++++++++++++++++
> > ?policy/modules/contrib/thunderbird.te |????5 +
> > ?7 files changed, 291 insertions(+)
> >
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/contrib/evolution.if refpolicy-git-
> > 25112016/policy/modules/contrib/evolution.if
> > --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if
> > 2016-12-04 16:02:48.317069925 +0100
> > +++ refpolicy-git-25112016/policy/modules/contrib/evolution.if
> > 2016-12-04 16:03:37.777350810 +0100
> > @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
> >
> > ?########################################
> > ?## <summary>
> > +## Read evolution home files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`evolution_read_evolution_home_files',`
>
> evolution_read_home_files().
>
>
> >
> > + gen_require(`
> > + type evolution_t, evolution_home_t;
> > + ')
> > +
> > + read_files_pattern($1, evolution_home_t, evolution_home_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Connect to evolution using a unix
> > ?## domain stream socket.
> > ?## </summary>
>
> [...]
>
> >
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.if refpolicy-git-
> > 25112016/policy/modules/contrib/openoffice.if
> > --- refpolicy-git-25112016-
> > orig/policy/modules/contrib/openoffice.if 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if
> > 2016-12-06 21:27:07.252411657 +0100
>
> [...]
>
> >
> > +
> > +########################################
> > +## <summary>
> > +## Read and write temporary
> > +## openoffice files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ooffice_rw_ooffice_tmp_files',`
>
> ooffice_rw_tmp_files()
>
>
> >
> > + gen_require(`
> > + type ooffice_tmp_t;
> > + ')
> > +
> > + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Do not audit attempts to execute
> > +## files in temporary directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ooffice_dontaudit_exec_tmp_files',`
> > + gen_require(`
> > + type ooffice_tmp_t;
> > + ')
> > +
> > + dontaudit $1 ooffice_tmp_t:file exec_file_perms;
> > +')
[cut]
Rename 1 openoffice interface and 1 evolution interfaces that
have been recently added with the new openoffice module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.if | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.if | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/evolution.if refpolicy-git-07122016/policy/modules/contrib/evolution.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/evolution.if 2016-12-07 13:39:49.974910275 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/evolution.if 2016-12-07 13:42:47.297046820 +0100
@@ -115,7 +115,7 @@ interface(`evolution_home_filetrans',`
## </summary>
## </param>
#
-interface(`evolution_read_evolution_home_files',`
+interface(`evolution_read_home_files',`
gen_require(`
type evolution_t, evolution_home_t;
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/evolution.te refpolicy-git-07122016/policy/modules/contrib/evolution.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/evolution.te 2016-12-07 13:42:47.299046842 +0100
@@ -271,7 +271,7 @@ optional_policy(`
optional_policy(`
ooffice_domtrans(evolution_t)
- ooffice_rw_ooffice_tmp_files(evolution_t)
+ ooffice_rw_tmp_files(evolution_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te 2016-12-07 13:39:50.051911134 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te 2016-12-07 13:42:47.299046842 +0100
@@ -297,7 +297,7 @@ optional_policy(`
optional_policy(`
ooffice_domtrans(mozilla_t)
- ooffice_rw_ooffice_tmp_files(mozilla_t)
+ ooffice_rw_tmp_files(mozilla_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.if refpolicy-git-07122016/policy/modules/contrib/openoffice.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.if 2016-12-07 13:39:50.052911146 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/openoffice.if 2016-12-07 13:42:47.300046853 +0100
@@ -60,7 +60,7 @@ interface(`ooffice_domtrans',`
## </summary>
## </param>
#
-interface(`ooffice_rw_ooffice_tmp_files',`
+interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.te refpolicy-git-07122016/policy/modules/contrib/openoffice.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.te 2016-12-07 13:39:50.052911146 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/openoffice.te 2016-12-07 13:42:47.301046865 +0100
@@ -92,7 +92,7 @@ optional_policy(`
optional_policy(`
evolution_domtrans(ooffice_t)
- evolution_read_evolution_home_files(ooffice_t)
+ evolution_read_home_files(ooffice_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/thunderbird.te refpolicy-git-07122016/policy/modules/contrib/thunderbird.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/thunderbird.te 2016-12-07 13:39:50.097911648 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/thunderbird.te 2016-12-07 13:42:47.301046865 +0100
@@ -169,5 +169,5 @@ optional_policy(`
optional_policy(`
ooffice_domtrans(thunderbird_t)
- ooffice_rw_ooffice_tmp_files(thunderbird_t)
+ ooffice_rw_tmp_files(thunderbird_t)
')
> Rename 1 openoffice interface and 1 evolution interfaces that
> have been recently added with the new openoffice module.
Merged.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/evolution.if | 2 +-
> policy/modules/contrib/evolution.te | 2 +-
> policy/modules/contrib/mozilla.te | 2 +-
> policy/modules/contrib/openoffice.if | 2 +-
> policy/modules/contrib/openoffice.te | 2 +-
> policy/modules/contrib/thunderbird.te | 2 +-
> 6 files changed, 6 insertions(+), 6 deletions(-)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/evolution.if refpolicy-git-07122016/policy/modules/contrib/evolution.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/evolution.if 2016-12-07 13:39:49.974910275 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/evolution.if 2016-12-07 13:42:47.297046820 +0100
> @@ -115,7 +115,7 @@ interface(`evolution_home_filetrans',`
> ## </summary>
> ## </param>
> #
> -interface(`evolution_read_evolution_home_files',`
> +interface(`evolution_read_home_files',`
> gen_require(`
> type evolution_t, evolution_home_t;
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/evolution.te refpolicy-git-07122016/policy/modules/contrib/evolution.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/evolution.te 2016-12-07 13:42:47.299046842 +0100
> @@ -271,7 +271,7 @@ optional_policy(`
>
> optional_policy(`
> ooffice_domtrans(evolution_t)
> - ooffice_rw_ooffice_tmp_files(evolution_t)
> + ooffice_rw_tmp_files(evolution_t)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te 2016-12-07 13:39:50.051911134 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te 2016-12-07 13:42:47.299046842 +0100
> @@ -297,7 +297,7 @@ optional_policy(`
>
> optional_policy(`
> ooffice_domtrans(mozilla_t)
> - ooffice_rw_ooffice_tmp_files(mozilla_t)
> + ooffice_rw_tmp_files(mozilla_t)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.if refpolicy-git-07122016/policy/modules/contrib/openoffice.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.if 2016-12-07 13:39:50.052911146 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/openoffice.if 2016-12-07 13:42:47.300046853 +0100
> @@ -60,7 +60,7 @@ interface(`ooffice_domtrans',`
> ## </summary>
> ## </param>
> #
> -interface(`ooffice_rw_ooffice_tmp_files',`
> +interface(`ooffice_rw_tmp_files',`
> gen_require(`
> type ooffice_tmp_t;
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.te refpolicy-git-07122016/policy/modules/contrib/openoffice.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/openoffice.te 2016-12-07 13:39:50.052911146 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/openoffice.te 2016-12-07 13:42:47.301046865 +0100
> @@ -92,7 +92,7 @@ optional_policy(`
>
> optional_policy(`
> evolution_domtrans(ooffice_t)
> - evolution_read_evolution_home_files(ooffice_t)
> + evolution_read_home_files(ooffice_t)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/thunderbird.te refpolicy-git-07122016/policy/modules/contrib/thunderbird.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/thunderbird.te 2016-12-07 13:39:50.097911648 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/thunderbird.te 2016-12-07 13:42:47.301046865 +0100
> @@ -169,5 +169,5 @@ optional_policy(`
>
> optional_policy(`
> ooffice_domtrans(thunderbird_t)
> - ooffice_rw_ooffice_tmp_files(thunderbird_t)
> + ooffice_rw_tmp_files(thunderbird_t)
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito