Dear list,
I want to enable or disable the clipboard with booleans. Is there any
available policy that can do this? If not please indicate the relevant place
to start with.
--
Shaz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100515/44871fba/attachment.html
On 05/15/2010 07:50 PM, Shaz wrote:
> Dear list,
>
> I want to enable or disable the clipboard with booleans. Is there any
> available policy that can do this? If not please indicate the relevant place
> to start with.
There is no boolean to enable/disable clipboard functionality.
You would have to enable the xserver access control extension (setsebool
-P xserver_object_manager on && reboot) and modify the policy to
grant/deny access to copy to and read from the clipboard.
Which might not be easy to do. I forgot which classes and permissions
control this and "XACE" provides plenty classes and permissions.
I have, however, a while ago created a screen cast in which i
demonstrate how to confine a GUI user app (google-gadgets) with the
Xserver access control extension enabled. (it is on youtube "SELinux
confined a GUI app". If i remember correct it also touches on the
clipboard issue wrt google-gadgets.
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100515/2da8ad37/attachment.bin
On Sat, May 15, 2010 at 10:50 PM, Shaz <[email protected]> wrote:
> Dear list,
>
> I want to enable or disable the clipboard with booleans. Is there any
> available policy that can do this? If not please indicate the relevant place
> to start with.
There was a flaw in this question that someone on selinux irc
explained to me. We need to control an application's access to
booleans. But I am still not sure how much and what effort it
requires? Pointer to tutorials or some guidance will be appreciated.
Which version of XACE can do this going as back and earlier as possible?
--
Shaz
On 05/19/2010 11:33 AM, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <[email protected]> wrote:
>
>> Dear list,
>>
>> I want to enable or disable the clipboard with booleans. Is there any
>> available policy that can do this? If not please indicate the relevant place
>> to start with.
>>
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.
>
> Which version of XACE can do this going as back and earlier as possible?
>
>
>
You could deny access to the clipboard by labeling the PRIMARY,
SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
context that application domains don't have permissions to access. But
this will result in BadAccess X protocol errors being returned to the
application, which will probably abort() as a result (the standard Xlib
error handling method is to call abort).
You could also polyinstantiate X selections, which would cause the
clipboard to stop working unless the two parties (selection owner and
ConvertSelection request issuer) have the exact same context. But if
you do this, be aware that there are other selections (besides the
clipboard ones) that you will need to keep as single instances if you
want things like D-Bus to work. Finding and dealing with all of these
is a topic of interest at the moment.
An x_contexts file with the following "selections" section would
implement the second option (the file is located in the contexts/
directory of the SELinux policy configuration):
#
##
### Rules for X Selections
##
#
# Put all your single-instance exceptions here
selection @server=ibus system_u:object_r:xselection_t:s0
selection _DBUS_* system_u:object_r:xselection_t:s0
# Default fallback type, will polyinstantiate everything else
poly_selection * system_u:object_r:xselection_t:s0
--
Eamon Walsh
National Security Agency
> You could deny access to the clipboard by labeling the PRIMARY,
> SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
> context that application domains don't have permissions to access. ?But
> this will result in BadAccess X protocol errors being returned to the
> application, which will probably abort() as a result (the standard Xlib
> error handling method is to call abort).
>
> You could also polyinstantiate X selections, which would cause the
> clipboard to stop working unless the two parties (selection owner and
> ConvertSelection request issuer) have the exact same context. ?But if
> you do this, be aware that there are other selections (besides the
> clipboard ones) that you will need to keep as single instances if you
> want things like D-Bus to work. ?Finding and dealing with all of these
> is a topic of interest at the moment.
>
> An x_contexts file with the following "selections" section would
> implement the second option (the file is located in the contexts/
> directory of the SELinux policy configuration):
>
> #
> ##
> ### Rules for X Selections
> ##
> #
>
> # Put all your single-instance exceptions here
> selection @server=ibus ? ? ? ? ? ? ? ? ?system_u:object_r:xselection_t:s0
> selection _DBUS_* ? ? ? ? ? ? ? ? ? ? ? system_u:object_r:xselection_t:s0
>
> # Default fallback type, will polyinstantiate everything else
> poly_selection * ? ? ? ? ? ? ? ? ? ? ? ?system_u:object_r:xselection_t:s0
>
I am finding this difficult to follow ... plz suggest some background
reading, which is less time consuming.
--
Shaz
On Wed, 2010-05-19 at 20:33 +0500, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <[email protected]> wrote:
> > Dear list,
> >
> > I want to enable or disable the clipboard with booleans. Is there any
> > available policy that can do this? If not please indicate the relevant place
> > to start with.
>
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.
If you want to allow changing Booleans on a coarse level (all or
nothing), you just need to allow the setbool permission. The
selinux_set_generic_booleans() or selinux_set_all_booleans() interfaces
should be sufficient for this.
If you want to be fine grained, you can label the selinuxfs entry for
the boolean using the selinux_labeled_boolean() interface. For example
if you wanted to label the "disable_clipboard" boolean:
type my_boolean_t;
selinux_labeled_boolean(my_boolean_t, disable_clipboard)
Then you would need to allow rw permissions on the my_boolean_t file, in
addition to the setbool permission. The caveat on this is that the
selinux_labeled_boolean() call and type declaration must be in the base
module, if you use a modular policy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com