From: nicky726@gmail.com (Nicky726)
Date: Wed, 12 Aug 2009 14:40:20 +0200
Subject: [refpolicy] Basic policy for KDE and Konqueror
Message-ID: <200908121440.21006.Nicky726@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hello,
as a part of my bachellor thesis I've made basic policy for KDE namely
Konqueror web browser. The resulting source files are enclosed to this e-mail.
As KDE is complicated and interconnected environment, I chosed to create a
general module for KDE. The should be any rules concerning shared parts of KDE
policy. As an example may be context of ~/.kde, where configuration is stored,
and access rules of this files...
Than for every aplication which is to be confined, there should be one module
depending on the base KDE policy module. I choosed to confine Konqueror.
I tested this policy on Fedora 10 with KDE 4.2.4 and up-to-date.
I understand that policy I created is probabaly very rough and needs many
refinements. Would you please comment it, so I can make it better and maybe
actually useful for some people?
Thanks for your time,
Ond?ej Vadinsk?
(Nicky726)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
# Files in tmp shared among kdeapps
/tmp/kde-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
/tmp/ksocket-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
/var/tmp/kdecache-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
# Links to those file in user home
HOME_DIR/\.kde/socket-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
HOME_DIR/\.kde/cache-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
HOME_DIR/\.kde/tmp-(.*)? gen_context(system_u:object_r:kde_shared_tmp_t,s0)
-------------- next part --------------
## Basic kde confinement
########################################
##
## Do not audit attempts to read,
## kde tmp files
##
##
##
## Domain to not audit.
##
##
#
interface(`kde_dontaudit_read_tmp_files',`
gen_require(`
type kde_shared_tmp_t;
')
dontaudit $1 kde_shared_tmp_t:file read_file_perms;
')
########################################
##
## Allow domain to read, kde tmp files, links and sockets
##
##
##
## Domain to not audit.
##
##
#
interface(`kde_read_tmp',`
gen_require(`
type kde_shared_tmp_t;
')
allow $1 kde_shared_tmp_t:file read_file_perms;
allow $1 kde_shared_tmp_t:file read_lnk_file_perms;
allow $1 kde_shared_tmp_t:file read_sock_file_perms;
')
########################################
##
## Allow domain to manage kde tmp files, links, sockets and dirs
##
##
##
## Domain to not audit.
##
##
#
interface(`kde_manage_tmp',`
gen_require(`
type kde_shared_tmp_t;
')
manage_dirs_pattern($1,kde_shared_tmp_t,kde_shared_tmp_t)
manage_files_pattern($1,kde_shared_tmp_t,kde_shared_tmp_t)
manage_lnk_files_pattern($1,kde_shared_tmp_t,kde_shared_tmp_t)
manage_sock_files_pattern($1,kde_shared_tmp_t,kde_shared_tmp_t)
')
########################################
##
## Search kde_shared_home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_search_home_dir',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
##
## Read kde_shared_home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_read_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file r_file_perms;
allow $1 kde_shared_home_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
##
## Create, read, write, and delete
## kde_shared_home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file manage_file_perms;
allow $1 kde_shared_home_t:dir rw_dir_perms;
')
########################################
##
## Manage kde_shared_home files and dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home',`
gen_require(`
type kde_shared_home_t;
')
manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
')
########################################
##
## Create file, dir, links of specified type in
## kde_shared_home_t dirs with type transition
##
##
##
## Domain allowed access
##
##
##
##
## Private type of created object
##
##
#
interface(`files_kde_home_filetrans',`
gen_require(`
type kde_shared_home_t;
')
type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
')
-------------- next part --------------
policy_module(kde,0.0.1)
########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)
type kde_shared_home_t;
files_type(kde_shared_home_t)
-------------- next part --------------
/usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
-------------- next part --------------
## policy for konqueror
########################################
##
## Execute a domain transition to run konqueror.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
##
## Search konqueror rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_search_home_dir',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
##
## Read konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file r_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
##
## Create, read, write, and delete
## konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file manage_file_perms;
allow $1 konqueror_home_t:dir rw_dir_perms;
')
########################################
##
## Manage konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
')
########################################
##
## Execute konqueror in the konqueror domain, and
## allow the specified role the konqueror domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the konqueror domain.
##
##
##
##
## The type of the role's terminal.
##
##
#
interface(`konqueror_run',`
gen_require(`
type konqueror_t;
')
konqueror_domtrans($1)
role $2 types konqueror_t;
dontaudit konqueror_t $3:chr_file rw_term_perms;
')
########################################
##
## Send and receive messages from
## konqueror over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
########################################
##
## All of the rules required to administrate
## an konqueror environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the konqueror domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
kde_manage_tmp($1)
konqueror_manage_home($1)
')
-------------- next part --------------
policy_module(konqueror,0.1.0)
require {
type unconfined_t;
type unconfined_dbusd_t;
type user_home_t;
type kde_shared_tmp_t;
type kde_shared_home_t;
type bin_t;
}
########################################
#
# Declarations
#
type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
role system_r types konqueror_t;
permissive konqueror_t;
type konqueror_home_t;
files_type(konqueror_home_t)
type konqueror_port_t;
corenet_port(konqueror_port_t)
########################################
#
# konqueror local policy
#
## internal communication is often done using fifo and unix sockets.
allow konqueror_t self:fifo_file rw_file_perms;
allow konqueror_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(konqueror_t)
# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)
# Read localization
miscfiles_read_localization(konqueror_t)
# Allow reading font files
miscfiles_read_fonts(konqueror_t)
# Temp acces from kde module
kde_manage_tmp(konqueror_t)
files_tmp_filetrans(konqueror_t,kde_shared_tmp_t, { file dir lnk_file sock_file })
# Full access to konqueror home
konqueror_manage_home(konqueror_t)
# For now manage kde_shared_home files and rw acces to dir and filetrans of created files
# In future with more other kde modules should be reduce to read only
# or important files should be removed from kde_shared_home
kde_manage_home_files(konqueror_t)
# Needed so that konqueror_home_files in kde_shared_home_t dir wouldn't switch to dirs type
files_kde_home_filetrans(konqueror_t, konqueror_home_t)
# Konqueror runs drkonqi (bin_t) We certainly dont wont to allow running anything in bin_t by
# konqueror, so for now we wont audit that. Correct solution is to confine drkonqi.
dontaudit konqueror_t bin_t:file exec_file_perms;
dev_read_urand(konqueror_t) #/dev/urandom
files_read_usr_files(konqueror_t) #/usr
kernel_read_system_state(konqueror_t) #/proc
xserver_stream_connect_xdm_xserver(konqueror_t) #connect to xdm xserver
allow konqueror_t self:process getsched; # Get self process priority
fs_getattr_xattr_fs(konqueror_t) # extended atributes support
sysnet_dns_name_resolve(konqueror_t)
corenet_all_recvfrom_unlabeled(konqueror_t)
# Access to ports
allow konqueror_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)
corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)
corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)
# dbus needed to run
allow konqueror_t unconfined_dbusd_t:unix_stream_socket connectto;
allow konqueror_t unconfined_t:unix_stream_socket { read write connectto };
dbus_system_bus_unconfined(konqueror_t)
dbus_unconfined(konqueror_t)
optional_policy(`
gen_require(`
type staff_t;
type staff_devpts_t;
type staff_tty_device_t;
role staff_r;
')
konqueror_run(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
')
optional_policy(`
gen_require(`
type unconfined_t;
type unconfined_devpts_t;
type unconfined_tty_device_t;
role unconfined_r;
')
konqueror_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
gen_require(`
type user_t;
type user_devpts_t;
type user_tty_device_t;
role user_r;
')
konqueror_run(user_t, user_r, { user_tty_device_t user_devpts_t })
')
# corecmd_bin_entry_type(konqueror_t) # ne