From: domg472@gmail.com (Dominick Grift) Date: Sat, 5 Sep 2009 17:48:08 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror In-Reply-To: References: Message-ID: <20090905154808.GC29896@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Sep 05, 2009 at 05:39:24PM +0200, Nicky 726 wrote: > Hello, > > > Date: Fri, 4 Sep 2009 17:19:02 +0200 > > From: Dominick Grift > > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror > > To: refpolicy at oss.tresys.com > > Message-ID: <20090904151901.GB21615@notebook3.grift.internal> > > Content-Type: text/plain; charset="iso-8859-1" > > > > On Fri, Sep 04, 2009 at 04:52:37PM +0200, Nicky 726 wrote: > >> Hello, > >> > >> > Date: Thu, 3 Sep 2009 22:36:17 +0200 > >> > From: Dominick Grift > >> > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror > >> > To: refpolicy at oss.tresys.com > >> > Message-ID: <20090903203617.GA2709@notebook3.grift.internal> > >> > Content-Type: text/plain; charset="us-ascii" > >> > > >> > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote: > >> >> Hello, > >> >> > >> >> I've been reviewing and testing my policy for Konqueror according to Dominick > >> >> Grift's comments. Now I've got confused with the dbus affair: > >> >> > >> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a): > >> >> > use proper dbus interfaces (not dbus unconfined) > >> >> > >> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use > >> >> dbus_system_bus_client() I got message, that Konqueror can't be registered > >> >> with dbus, as there is already another one registered. If I use > >> >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror > >> >> won't start and no AVC denials are displayed. > >> >> > >> >> As I looked into Evolution and Mozilla policies sources, there are only this > >> >> two interfaces used. Are there some other steps needed for it to work? Or is > >> >> there some better suited interfaces? Do you have other suggestions? > >> > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials? > >> > > >> > ausearch -m user_avc -ts today > >> > grep -i dbus /var/log/messages > >> > > >> > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages. > >> > > >> > can you show us your dbus related avc denials? > >> >> > >> >> Thanks for your time, > >> >> Ondrej Vadinsky > >> > >> This is what I get from /var/log/messages: > >> > >> In the mean time: > >> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5) > >> Sep ?4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC > >> avc: ?received policyload notice (seqno=5)#012: exe="?" (sauid=81, > >> hostname=?, addr=?, terminal=?) > >> Sep ?4 16:23:44 tsubaki dbus: Reloaded configuration > >> Sep ?4 16:23:44 tsubaki dbus: avc: ?received policyload notice (seqno=5) > >> > >> With no dbus interface called: > >> Sep ?4 16:23:59 tsubaki dbus: avc: ?denied ?{ send_msg } for > >> msgtype=method_call interface=org.freedesktop.DBus member=Hello > >> dest=org.freedesktop.DBus spid=2807 > >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 > >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> tclass=dbus > > > > This may work for the issue above: > > > > userdom_dbus_send_all_users(konqueror) > > yes it worked for send_msg but only triggered acquire_svc denyal > > > > >> > >> With dbus_system_bus_client: > >> Sep ?4 16:45:35 tsubaki dbus: avc: ?denied ?{ acquire_svc } for > >> service=org.kde.konqueror-2869 spid=2869 > >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 > >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> tclass=dbus > > I ' am not sure which distro (version) you are using but on recent version you can probably use for this: > > > > dbus_connect_session_bus(konqueror_t) > > With up-to-date fedora 11 it sadly didn't do anything for me > > > > >> > >> With dbus_session_bus_client: > >> Sep ?4 16:48:52 tsubaki dbus: avc: ?denied ?{ send_msg } for > >> msgtype=method_call interface=org.freedesktop.DBus member=Hello > >> dest=org.freedesktop.DBus spid=2897 > >> scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 > >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> tclass=dbus > > > > Dbus is a bit tricky, especially when it comes to GUI user apps. You may need /want to create a: > > > > konqueror_dbus_chat() > > Created and called from konqueror_run(), it solves the send_msg stuff too. > > > > > And you may also need dbusd_session/system_bus_client templates. > > Theese didn't work for me either, I end up with acquire_svc denyal too > > > Try it out a bit and when it comes to dbus remember to check both ausearch -m user_avc, as well as /var/log/messages > > I searched dbus related interfaces again and it worked with > unconfined_dbus_connect() which I guess ain't much clean sollution or > is it? > > The other thing which works fine is adding: > > allow konqueror_t $2:dbus acquire_svc; looks like dbus_connect_session_bus() is not (yet) implemented in f11 and upstream refpolicy. Basically it facilitates the acquire_svc on user bus. You could create it yourself or add the local policy above as a workaround until the interface is implemented. The reason that dbus_connect_session_bus is not implemented is that confining GUI user apps does not have much priority and it presents some complications which minimize the benefits of confined gui user apps. > > into konqueror_run(). > Don't know how much cleaner this is, but seems to me as better > solution since it works with current user domain and not only and > always with unconfined. But fix me if I'm wrong. Can I consider this > dbus issue solved or should I try something else? In that case, what > would you suggest? > > > > Thanks for your time, > Ondrej Vadinsky > > -- > "Don't it always seem to go > That you don't know what you've got > Till it's gone." > > (Joni Mitchell) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090905/c401d24e/attachment.bin