From: domg472@gmail.com (Dominick Grift) Date: Thu, 27 Aug 2009 18:47:04 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror In-Reply-To: <200908271807.52210.Nicky726@gmail.com> References: <200908121440.21006.Nicky726@gmail.com> <1250103483.19221.31.camel@notebook2.grift.internal> <200908271807.52210.Nicky726@gmail.com> Message-ID: <20090827164704.GB6385@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 27, 2009 at 06:07:52PM +0200, Nicky726 wrote: > Helo, > > I managed to implement almost all of your comments to KDE and Konqueror > policy. Now I need to do some testing, which is where I got totaly stuck. > > First to the konqueror_role(). I created this interface according to policy > for mozilla, but i quite don't get it, where should I place the call itself. > You mention userdomain policy: > > Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a): > > the konqueror_run interface calles should be replaced by > > konqueror_role() calls. These calls do not belong there but they belong > > in the user domain policy. > > But I didn't find there much xxx_role() calls. More important I didn't find > there any mozilla_role() which I take as a reference. When I looked through > refpolicy sources I managed to find mozilla_role() and other xxx_role() calls > in roles/unprivuser.te and other roles. So to where do these calls belong? > > I am not sure, that I fully comprehend this situation concerning xxx_role() > calls. I had interface konqueror_run() which was called in konqueror.te. This The *_role template instantiate policy for the callers role. In selinux different users can have different roles and the *_role template makes it easier and more compact. If you have different users youd have to write similar policy for easy user (unconfined,staff,user,guest,xguest) etc. with *_role you write the policy one-time and instantiate (call) that for the various users. (easier to maintain/ less policy to write) > should now be replaced by konqueror_role() which I guess should do something > similar, and be called where? What is it good for? And are there more changes > needed so it worked? Could someone explain this more? > > Now to the testing stuff. Til now I managed to test the modules against > unmodified Fedora targeted policy. But with konqueror_role() calls there are > some modifications needed. How to do it? I didn't have much luck with inserting > changed modules to fedora policy, nor with compling what I hope was exact copy > of fedora policy. > > I also think, that this module should be tested against refpolicy-git > shouldn't it? The problem with this is, that fedora didn't even booted with > git refpolicy. How do you test the modules than? > > > Thanks for the answers, > Ondrej Vadinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090827/dcbb23e0/attachment.bin