From: nicky726@gmail.com (Nicky726)
Date: Mon, 14 Sep 2009 11:20:35 +0200
Subject: [refpolicy] Basic policy for KDE and Konqueror, third look
Message-ID: <200909141120.35378.Nicky726@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hello,
my previous post got somehow cripled by web-mail interface, so lets try it
better this time:
I incorporated to my policy most of comments by Dominick Grift and
reorganized the konqueror.te structure according to this article:
http://danwalsh.livejournal.com/14442.html, therefore I send the
policy for further comments, so I could make it better.
P.S.
There is still isue because of type_transition in
files_kde_home_filetrans() interface. Dominick Grift suggests using
manage_files_pattern instead. The problem is, that only
manage_files_pattern is not enough for it to work corretly (or I have
there some mistake). type_transition or filetrans_pattern is needed,
as konqueror_home_t files reside in kde_shared_home_t directory and
when they are rewriten, they tend to keep kde_shared_home_t type,
which is not desired. Therefor I decided to keep the
filetrans_pattern, but if anyone could think of better working
solution, I'm ready to adopt it.
P.P.S.
What steps are needed to get this policy adopted to main refpolicy?
Thanks for your time,
Ondrej Vadinsky
--
"Don't it always seem to go
That you don't know what you've got
Till it's gone."
(Joni Mitchell)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
-------------- next part --------------
## Basic kde confinement
########################################
##
## Search kde_shared_home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_search_home_dir',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Read kde_shared_home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_read_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file r_file_perms;
allow $1 kde_shared_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Create, read, write, and delete
## kde_shared_home files links and dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file manage_file_perms;
allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage kde_shared_home files links and dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home',`
gen_require(`
type kde_shared_home_t;
')
manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Create file, dir, links of specified type in
## kde_shared_home_t dirs with type transition
##
##
##
## Domain allowed access
##
##
##
##
## Private type of created object
##
##
#
interface(`files_kde_home_filetrans',`
gen_require(`
type kde_shared_home_t;
')
#type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
manage_files_pattern($1,kde_shared_home_t,$2)
manage_lnk_files_pattern($1,kde_shared_home_t,$2)
manage_sock_files_pattern($1,kde_shared_home_t,$2)
manage_dirs_pattern($1,kde_shared_home_t,$2)
#Filetrans needed, as the directory is of other type, than created object
filetrans_pattern($1,kde_shared_home_t,$2,{ file lnk_file sock_file dir })
')
-------------- next part --------------
policy_module(kde,0.0.7)
########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)
type kde_shared_home_t;
userdom_user_home_content(kde_shared_home_t)
-------------- next part --------------
/usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
-------------- next part --------------
## Policy for Konqueror
########################################
##
## Role access for konqueror
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
')
role $1 types konqueror_t;
konqueror_domtrans($2)
# Unrestricted inheritance from the caller.
allow konqueror_t $2:fd use;
allow konqueror_t $2:process signal_perms;
dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;
allow $2 konqueror_t:fd use;
allow $2 konqueror_t:shm { associate getattr };
allow $2 konqueror_t:shm { unix_read unix_write };
allow $2 konqueror_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
userdom_stream_connect(konqueror_t)
# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
optional_policy(`
gen_require(`
class dbus acquire_svc;
')
allow konqueror_t $2:dbus acquire_svc;
')
konqueror_dbus_chat($2)
')
########################################
##
## Execute a domain transition to run konqueror.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
##
## Search konqueror rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_search_home_dir',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Read konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file r_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Create, read, write, and delete
## konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file manage_file_perms;
allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Send and receive messages from
## konqueror over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
')
optional_policy(`
gen_require(`
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
')
########################################
##
## All of the rules required to administrate
## an konqueror environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the konqueror domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
konqueror_manage_home($1)
optional_policy(`
kde_manage_tmp($1)
')
')
-------------- next part --------------
policy_module(konqueror,0.3)
########################################
#
# Konqueror personal declarations
#
##
##
## Allow Konqueror to run bin_t because of drkonqi
##
##
gen_tunable(konqueror_exec_bin_t, false)
type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
ubac_constrained(konqueror_t)
type konqueror_home_t;
userdom_user_home_content(konqueror_home_t)
type konqueror_tmp_t;
files_tmp_file(konqueror_tmp_t)
ubac_constrained(konqueror_tmp_t)
########################################
#
# Konqueror local policy
#
#
# Allow rules and patterns
#
allow konqueror_t self:fifo_file rw_file_perms; # Internal communication using fifo
allow konqueror_t self:process getsched; # get self process priority
allow konqueror_t self:tcp_socket create_stream_socket_perms;
konqueror_dbus_chat(konqueror_t) # internal comunication done by dbus
# Temp acces for konqueror
manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
konqueror_manage_home(konqueror_t) # full access to konqueror home
#
# Interfaces from kernel directory
#
# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
corecmd_dontaudit_getattr_bin_files(konqueror_t)
corecmd_dontaudit_exec_all_executables(konqueror_t)
# Access to ports
corenet_all_recvfrom_unlabeled(konqueror_t)
corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)
corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)
corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)
dev_read_urand(konqueror_t) #/dev/urandom
files_read_etc_files(konqueror_t)
files_read_usr_files(konqueror_t) #/usr
fs_getattr_xattr_fs(konqueror_t) # extended atributes support
kernel_read_system_state(konqueror_t) #/proc
#
# Interfaces from system directory
#
# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)
# Read localization and fonts
miscfiles_read_fonts(konqueror_t)
miscfiles_read_localization(konqueror_t)
sysnet_dns_name_resolve(konqueror_t)
# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
# it'll have the right context. For now grant minimal necessary access to usr temp
userdom_read_user_tmp_files(konqueror_t)
userdom_use_user_terminals(konqueror_t) #run from terminal
# To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
#
# Interfaces from other directories
#
xserver_read_xdm_tmp_files(konqueror_t)
xserver_read_user_xauth(konqueror_t)
xserver_stream_connect(konqueror_t) #connect to xserver
xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
#
# Tunable policies
#
tunable_policy(`konqueror_exec_bin_t',`
corecmd_exec_bin(konqueror_t)
')
#
# Optional policies
#
# Access to kde_shared_home_t, should be reduced in future
# Transition so that konqueror_home_files in kde_shared_home_t dir
# wouldn't switch to parent directory type
optional_policy(`
kde_manage_home_files(konqueror_t)
files_kde_home_filetrans(konqueror_t, konqueror_home_t)
')
# For testing purpouses only!
# Should be in userdomain.if
gen_require(`
type unconfined_t;
role unconfined_r;
')
konqueror_role(unconfined_r, unconfined_t)