From: domg472@gmail.com (Dominick Grift)
Date: Fri, 4 Sep 2009 17:19:02 +0200
Subject: [refpolicy] Basic policy for KDE and Konqueror
In-Reply-To: <f89acf360909040752k34105a5bt7976d19c81675fe1@mail.gmail.com>
References: <f89acf360909040752k34105a5bt7976d19c81675fe1@mail.gmail.com>
Message-ID: <20090904151901.GB21615@notebook3.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Sep 04, 2009 at 04:52:37PM +0200, Nicky 726 wrote:
> Hello,
> 
> > Date: Thu, 3 Sep 2009 22:36:17 +0200
> > From: Dominick Grift <domg472@gmail.com>
> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror
> > To: refpolicy at oss.tresys.com
> > Message-ID: <20090903203617.GA2709@notebook3.grift.internal>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote:
> >> Hello,
> >>
> >> I've been reviewing and testing my policy for Konqueror according to Dominick
> >> Grift's comments. Now I've got confused with the dbus affair:
> >>
> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
> >> > use proper dbus interfaces (not dbus unconfined)
> >>
> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use
> >> dbus_system_bus_client() I got message, that Konqueror can't be registered
> >> with dbus, as there is already another one registered. If I use
> >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror
> >> won't start and no AVC denials are displayed.
> >>
> >> As I looked into Evolution and Mozilla policies sources, there are only this
> >> two interfaces used. Are there some other steps needed for it to work? Or is
> >> there some better suited interfaces? Do you have other suggestions?
> > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials?
> >
> > ausearch -m user_avc -ts today
> > grep -i dbus /var/log/messages
> >
> > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages.
> >
> > can you show us your dbus related avc denials?
> >>
> >> Thanks for your time,
> >> Ondrej Vadinsky
> 
> This is what I get from /var/log/messages:
> 
> In the mean time:
> Sep  4 16:23:44 tsubaki dbus: avc:  received policyload notice (seqno=5)
> Sep  4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC
> avc:  received policyload notice (seqno=5)#012: exe="?" (sauid=81,
> hostname=?, addr=?, terminal=?)
> Sep  4 16:23:44 tsubaki dbus: Reloaded configuration
> Sep  4 16:23:44 tsubaki dbus: avc:  received policyload notice (seqno=5)
> 
> With no dbus interface called:
> Sep  4 16:23:59 tsubaki dbus: avc:  denied  { send_msg } for
> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> dest=org.freedesktop.DBus spid=2807
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus

This may work for the issue above:

userdom_dbus_send_all_users(konqueror)

> 
> With dbus_system_bus_client:
> Sep  4 16:45:35 tsubaki dbus: avc:  denied  { acquire_svc } for
> service=org.kde.konqueror-2869 spid=2869
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus
I ' am not sure which distro (version) you are using but on recent version you can probably use for this:

dbus_connect_session_bus(konqueror_t)

> 
> With dbus_session_bus_client:
> Sep  4 16:48:52 tsubaki dbus: avc:  denied  { send_msg } for
> msgtype=method_call interface=org.freedesktop.DBus member=Hello
> dest=org.freedesktop.DBus spid=2897
> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dbus

Dbus is a bit tricky, especially when it comes to GUI user apps. You may need /want to create a:

konqueror_dbus_chat()

And you may also need dbusd_session/system_bus_client templates.

Try it out a bit and when it comes to dbus remember to check both ausearch -m user_avc, as well as /var/log/messages

> 
> Thanks for your time,
> Ondrej Vadinsky
> 
> --
> "Don't it always seem to go
> That you don't know what you've got
> Till it's gone."
> 
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (Joni Mitchell)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/33157f8b/attachment-0001.bin