2009-09-04 14:52:37

by nicky726

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror

Hello,

> Date: Thu, 3 Sep 2009 22:36:17 +0200
> From: Dominick Grift <[email protected]>
> Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> To: refpolicy at oss.tresys.com
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote:
>> Hello,
>>
>> I've been reviewing and testing my policy for Konqueror according to Dominick
>> Grift's comments. Now I've got confused with the dbus affair:
>>
>> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
>> > use proper dbus interfaces (not dbus unconfined)
>>
>> The thing is that Konqueror starts only with dbus_unconfined(). If I use
>> dbus_system_bus_client() I got message, that Konqueror can't be registered
>> with dbus, as there is already another one registered. If I use
>> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror
>> won't start and no AVC denials are displayed.
>>
>> As I looked into Evolution and Mozilla policies sources, there are only this
>> two interfaces used. Are there some other steps needed for it to work? Or is
>> there some better suited interfaces? Do you have other suggestions?
> dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials?
>
> ausearch -m user_avc -ts today
> grep -i dbus /var/log/messages
>
> dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages.
>
> can you show us your dbus related avc denials?
>>
>> Thanks for your time,
>> Ondrej Vadinsky

This is what I get from /var/log/messages:

In the mean time:
Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5)
Sep 4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=5)#012: exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)
Sep 4 16:23:44 tsubaki dbus: Reloaded configuration
Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5)

With no dbus interface called:
Sep 4 16:23:59 tsubaki dbus: avc: denied { send_msg } for
msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=2807
scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dbus

With dbus_system_bus_client:
Sep 4 16:45:35 tsubaki dbus: avc: denied { acquire_svc } for
service=org.kde.konqueror-2869 spid=2869
scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dbus

With dbus_session_bus_client:
Sep 4 16:48:52 tsubaki dbus: avc: denied { send_msg } for
msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=2897
scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dbus

Thanks for your time,
Ondrej Vadinsky

--
"Don't it always seem to go
That you don't know what you've got
Till it's gone."

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (Joni Mitchell)


2009-09-04 15:19:02

by domg472

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror

On Fri, Sep 04, 2009 at 04:52:37PM +0200, Nicky 726 wrote:
> Hello,
>
> > Date: Thu, 3 Sep 2009 22:36:17 +0200
> > From: Dominick Grift <[email protected]>
> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> > To: refpolicy at oss.tresys.com
> > Message-ID: <[email protected]>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote:
> >> Hello,
> >>
> >> I've been reviewing and testing my policy for Konqueror according to Dominick
> >> Grift's comments. Now I've got confused with the dbus affair:
> >>
> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
> >> > use proper dbus interfaces (not dbus unconfined)
> >>
> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use
> >> dbus_system_bus_client() I got message, that Konqueror can't be registered
> >> with dbus, as there is already another one registered. If I use
> >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror
> >> won't start and no AVC denials are displayed.
> >>
> >> As I looked into Evolution and Mozilla policies sources, there are only this
> >> two interfaces used. Are there some other steps needed for it to work? Or is
> >> there some better suited interfaces? Do you have other suggestions?
> > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials?
> >
> > ausearch -m user_avc -ts today
> > grep -i dbus /var/log/messages
> >
> > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages.
> >
> > can you show us your dbus related avc denials?
> >>
> >> Thanks for your time,
> >> Ondrej Vadinsky
>
> This is what I get from /var/log/messages:
>
> In the mean time:
> Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5)
> Sep 4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC
> avc: received policyload notice (seqno=5)#012: exe="?" (sauid=81,
> hostname=?, addr=?, terminal=?)
> Sep 4 16:23:44 tsubaki dbus: Reloaded configuration
> Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5)
>
> With no dbus interface called:
> Sep 4 16:23:59 tsubaki dbus: avc: denied { send_msg } for
> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> dest=org.freedesktop.DBus spid=2807
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus

This may work for the issue above:

userdom_dbus_send_all_users(konqueror)

>
> With dbus_system_bus_client:
> Sep 4 16:45:35 tsubaki dbus: avc: denied { acquire_svc } for
> service=org.kde.konqueror-2869 spid=2869
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus
I ' am not sure which distro (version) you are using but on recent version you can probably use for this:

dbus_connect_session_bus(konqueror_t)

>
> With dbus_session_bus_client:
> Sep 4 16:48:52 tsubaki dbus: avc: denied { send_msg } for
> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> dest=org.freedesktop.DBus spid=2897
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus

Dbus is a bit tricky, especially when it comes to GUI user apps. You may need /want to create a:

konqueror_dbus_chat()

And you may also need dbusd_session/system_bus_client templates.

Try it out a bit and when it comes to dbus remember to check both ausearch -m user_avc, as well as /var/log/messages

>
> Thanks for your time,
> Ondrej Vadinsky
>
> --
> "Don't it always seem to go
> That you don't know what you've got
> Till it's gone."
>
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (Joni Mitchell)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/33157f8b/attachment-0001.bin