From: domg472@gmail.com (Dominick Grift) Date: Thu, 27 Aug 2009 18:42:38 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror In-Reply-To: <200908271807.52210.Nicky726@gmail.com> References: <200908121440.21006.Nicky726@gmail.com> <1250103483.19221.31.camel@notebook2.grift.internal> <200908271807.52210.Nicky726@gmail.com> Message-ID: <20090827164238.GA6385@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 27, 2009 at 06:07:52PM +0200, Nicky726 wrote: > Helo, > > I managed to implement almost all of your comments to KDE and Konqueror > policy. Now I need to do some testing, which is where I got totaly stuck. > > First to the konqueror_role(). I created this interface according to policy > for mozilla, but i quite don't get it, where should I place the call itself. > You mention userdomain policy: > > Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a): > > the konqueror_run interface calles should be replaced by > > konqueror_role() calls. These calls do not belong there but they belong > > in the user domain policy. > > But I didn't find there much xxx_role() calls. More important I didn't find > there any mozilla_role() which I take as a reference. When I looked through > refpolicy sources I managed to find mozilla_role() and other xxx_role() calls > in roles/unprivuser.te and other roles. So to where do these calls belong? They usually go in Fedoras userdom.if in the right place. But for testing purposes you can add them to you .te file or you could make a separate myuserdom module. policy_module(myuserdom, 0.0.1) gen_require(` type unconfined_t; ') kde_role(unconfined_r, unconfined_t) ') > > I am not sure, that I fully comprehend this situation concerning xxx_role() > calls. I had interface konqueror_run() which was called in konqueror.te. This > should now be replaced by konqueror_role() which I guess should do something > similar, and be called where? What is it good for? And are there more changes > needed so it worked? Could someone explain this more? > > Now to the testing stuff. Til now I managed to test the modules against > unmodified Fedora targeted policy. But with konqueror_role() calls there are > some modifications needed. How to do it? I didn't have much luck with inserting > changed modules to fedora policy, nor with compling what I hope was exact copy > of fedora policy. > > I also think, that this module should be tested against refpolicy-git > shouldn't it? The problem with this is, that fedora didn't even booted with > git refpolicy. How do you test the modules than? Well start by making it work on Fedora, porting it to refpolicy should be reasonably easy. > > > Thanks for the answers, > Ondrej Vadinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090827/c0d16f0c/attachment.bin