Hello,
> Date: Fri, 4 Sep 2009 17:19:02 +0200
> From: Dominick Grift <[email protected]>
> Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> To: refpolicy at oss.tresys.com
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Fri, Sep 04, 2009 at 04:52:37PM +0200, Nicky 726 wrote:
>> Hello,
>>
>> > Date: Thu, 3 Sep 2009 22:36:17 +0200
>> > From: Dominick Grift <[email protected]>
>> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
>> > To: refpolicy at oss.tresys.com
>> > Message-ID: <[email protected]>
>> > Content-Type: text/plain; charset="us-ascii"
>> >
>> > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote:
>> >> Hello,
>> >>
>> >> I've been reviewing and testing my policy for Konqueror according to Dominick
>> >> Grift's comments. Now I've got confused with the dbus affair:
>> >>
>> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
>> >> > use proper dbus interfaces (not dbus unconfined)
>> >>
>> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use
>> >> dbus_system_bus_client() I got message, that Konqueror can't be registered
>> >> with dbus, as there is already another one registered. If I use
>> >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror
>> >> won't start and no AVC denials are displayed.
>> >>
>> >> As I looked into Evolution and Mozilla policies sources, there are only this
>> >> two interfaces used. Are there some other steps needed for it to work? Or is
>> >> there some better suited interfaces? Do you have other suggestions?
>> > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials?
>> >
>> > ausearch -m user_avc -ts today
>> > grep -i dbus /var/log/messages
>> >
>> > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages.
>> >
>> > can you show us your dbus related avc denials?
>> >>
>> >> Thanks for your time,
>> >> Ondrej Vadinsky
>>
>> This is what I get from /var/log/messages:
>>
>> In the mean time:
>> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5)
>> Sep ?4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC
>> avc: ?received policyload notice (seqno=5)#012: exe="?" (sauid=81,
>> hostname=?, addr=?, terminal=?)
>> Sep ?4 16:23:44 tsubaki dbus: Reloaded configuration
>> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5)
>>
>> With no dbus interface called:
>> Sep ?4 16:23:59 tsubaki dbus: avc: ?denied ?{ send_msg } for
>> msgtype=method_call interface=org.freedesktop.DBus member=Hello
>> dest=org.freedesktop.DBus spid=2807
>> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=dbus
>
> This may work for the issue above:
>
> userdom_dbus_send_all_users(konqueror)
yes it worked for send_msg but only triggered acquire_svc denyal
>
>>
>> With dbus_system_bus_client:
>> Sep ?4 16:45:35 tsubaki dbus: avc: ?denied ?{ acquire_svc } for
>> service=org.kde.konqueror-2869 spid=2869
>> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=dbus
> I ' am not sure which distro (version) you are using but on recent version you can probably use for this:
>
> dbus_connect_session_bus(konqueror_t)
With up-to-date fedora 11 it sadly didn't do anything for me
>
>>
>> With dbus_session_bus_client:
>> Sep ?4 16:48:52 tsubaki dbus: avc: ?denied ?{ send_msg } for
>> msgtype=method_call interface=org.freedesktop.DBus member=Hello
>> dest=org.freedesktop.DBus spid=2897
>> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=dbus
>
> Dbus is a bit tricky, especially when it comes to GUI user apps. You may need /want to create a:
>
> konqueror_dbus_chat()
Created and called from konqueror_run(), it solves the send_msg stuff too.
>
> And you may also need dbusd_session/system_bus_client templates.
Theese didn't work for me either, I end up with acquire_svc denyal too
> Try it out a bit and when it comes to dbus remember to check both ausearch -m user_avc, as well as /var/log/messages
I searched dbus related interfaces again and it worked with
unconfined_dbus_connect() which I guess ain't much clean sollution or
is it?
The other thing which works fine is adding:
allow konqueror_t $2:dbus acquire_svc;
into konqueror_run().
Don't know how much cleaner this is, but seems to me as better
solution since it works with current user domain and not only and
always with unconfined. But fix me if I'm wrong. Can I consider this
dbus issue solved or should I try something else? In that case, what
would you suggest?
Thanks for your time,
Ondrej Vadinsky
--
"Don't it always seem to go
That you don't know what you've got
Till it's gone."
(Joni Mitchell)
On Sat, Sep 05, 2009 at 05:39:24PM +0200, Nicky 726 wrote:
> Hello,
>
> > Date: Fri, 4 Sep 2009 17:19:02 +0200
> > From: Dominick Grift <[email protected]>
> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> > To: refpolicy at oss.tresys.com
> > Message-ID: <[email protected]>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > On Fri, Sep 04, 2009 at 04:52:37PM +0200, Nicky 726 wrote:
> >> Hello,
> >>
> >> > Date: Thu, 3 Sep 2009 22:36:17 +0200
> >> > From: Dominick Grift <[email protected]>
> >> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> >> > To: refpolicy at oss.tresys.com
> >> > Message-ID: <[email protected]>
> >> > Content-Type: text/plain; charset="us-ascii"
> >> >
> >> > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote:
> >> >> Hello,
> >> >>
> >> >> I've been reviewing and testing my policy for Konqueror according to Dominick
> >> >> Grift's comments. Now I've got confused with the dbus affair:
> >> >>
> >> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
> >> >> > use proper dbus interfaces (not dbus unconfined)
> >> >>
> >> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use
> >> >> dbus_system_bus_client() I got message, that Konqueror can't be registered
> >> >> with dbus, as there is already another one registered. If I use
> >> >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror
> >> >> won't start and no AVC denials are displayed.
> >> >>
> >> >> As I looked into Evolution and Mozilla policies sources, there are only this
> >> >> two interfaces used. Are there some other steps needed for it to work? Or is
> >> >> there some better suited interfaces? Do you have other suggestions?
> >> > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials?
> >> >
> >> > ausearch -m user_avc -ts today
> >> > grep -i dbus /var/log/messages
> >> >
> >> > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages.
> >> >
> >> > can you show us your dbus related avc denials?
> >> >>
> >> >> Thanks for your time,
> >> >> Ondrej Vadinsky
> >>
> >> This is what I get from /var/log/messages:
> >>
> >> In the mean time:
> >> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5)
> >> Sep ?4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC
> >> avc: ?received policyload notice (seqno=5)#012: exe="?" (sauid=81,
> >> hostname=?, addr=?, terminal=?)
> >> Sep ?4 16:23:44 tsubaki dbus: Reloaded configuration
> >> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5)
> >>
> >> With no dbus interface called:
> >> Sep ?4 16:23:59 tsubaki dbus: avc: ?denied ?{ send_msg } for
> >> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> >> dest=org.freedesktop.DBus spid=2807
> >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=dbus
> >
> > This may work for the issue above:
> >
> > userdom_dbus_send_all_users(konqueror)
>
> yes it worked for send_msg but only triggered acquire_svc denyal
>
> >
> >>
> >> With dbus_system_bus_client:
> >> Sep ?4 16:45:35 tsubaki dbus: avc: ?denied ?{ acquire_svc } for
> >> service=org.kde.konqueror-2869 spid=2869
> >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=dbus
> > I ' am not sure which distro (version) you are using but on recent version you can probably use for this:
> >
> > dbus_connect_session_bus(konqueror_t)
>
> With up-to-date fedora 11 it sadly didn't do anything for me
>
> >
> >>
> >> With dbus_session_bus_client:
> >> Sep ?4 16:48:52 tsubaki dbus: avc: ?denied ?{ send_msg } for
> >> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> >> dest=org.freedesktop.DBus spid=2897
> >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=dbus
> >
> > Dbus is a bit tricky, especially when it comes to GUI user apps. You may need /want to create a:
> >
> > konqueror_dbus_chat()
>
> Created and called from konqueror_run(), it solves the send_msg stuff too.
>
> >
> > And you may also need dbusd_session/system_bus_client templates.
>
> Theese didn't work for me either, I end up with acquire_svc denyal too
>
> > Try it out a bit and when it comes to dbus remember to check both ausearch -m user_avc, as well as /var/log/messages
>
> I searched dbus related interfaces again and it worked with
> unconfined_dbus_connect() which I guess ain't much clean sollution or
> is it?
>
> The other thing which works fine is adding:
>
> allow konqueror_t $2:dbus acquire_svc;
looks like dbus_connect_session_bus() is not (yet) implemented in f11 and upstream refpolicy. Basically it facilitates the acquire_svc on user bus. You could create it yourself or add the local policy above as a workaround until the interface is implemented.
The reason that dbus_connect_session_bus is not implemented is that confining GUI user apps does not have much priority and it presents some complications which minimize the benefits of confined gui user apps.
>
> into konqueror_run().
> Don't know how much cleaner this is, but seems to me as better
> solution since it works with current user domain and not only and
> always with unconfined. But fix me if I'm wrong. Can I consider this
> dbus issue solved or should I try something else? In that case, what
> would you suggest?
>
>
>
> Thanks for your time,
> Ondrej Vadinsky
>
> --
> "Don't it always seem to go
> That you don't know what you've got
> Till it's gone."
>
> (Joni Mitchell)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090905/c401d24e/attachment.bin