From: nicky726@gmail.com (Nicky726) Date: Wed, 27 Jan 2010 16:23:36 +0100 Subject: [refpolicy] Basic policy for KDE and Konqueror, third look In-Reply-To: <1253107894.27614.45.camel@gorn.columbia.tresys.com> References: <200909141120.35378.Nicky726@gmail.com> <1253107894.27614.45.camel@gorn.columbia.tresys.com> Message-ID: <201001271623.37040.Nicky726@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, here I am again after some time, with my Konqueror policy related questions. I was too busy with the school, but by now I managed to incorporate almost all commets by Chris PeBenito, I only need to do some testing, which is where I got stuck again. I've got this ugly hack just for testing purposes: gen_require(` type unconfined_t; role unconfined_r; ') konqueror_role(unconfined_r, unconfined_t) in konqueror.te so that Konqueror is run in correct context. (work-in-progress .if file inculeded). Problem is that, when I run Konqueror, context is not changed, it still is unconfined... Did I missed some revolutionary change in refpolicy or Fedora in last 4 months, which causes this, or have I some stupid mistake in my policy? I was also trying to put this konqueror_role call somewhere, where it should be -- not that I'm sure, where it is, as there is big difference between refpolicy and Fedora. To make it short there is too much code for me to follow, and too much changes in Fedora policy patches. How do the refpolicy developpers test their policies btw? Guess thats all for now. Thanks for your answers and patience, Ondrej Vadinsky -- Don`t it always seem to go That you don`t know what you`ve got Till it`s gone. (Joni Mitchell) -------------- next part -------------- ## Konqueror KDE web browser ######################################## ## ## Role access for konqueror ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # interface(`konqueror_role',` gen_require(` type konqueror_t, konqueror_exec_t, konqueror_home_t; ') #TODO Test what is really needed! role $1 types konqueror_t; konqueror_domtrans($2) # Unrestricted inheritance from the caller. allow konqueror_t $2:fd use; allow konqueror_t $2:process signal_perms; dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh }; # Allow the user domain to signal/ps. ps_process_pattern($2, konqueror_t) allow $2 konqueror_t:process signal_perms; allow $2 konqueror_t:fd use; allow $2 konqueror_t:shm { associate getattr }; allow $2 konqueror_t:shm { unix_read unix_write }; allow $2 konqueror_t:unix_stream_socket connectto; # X access, Home files manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t) manage_files_pattern($2, konqueror_home_t, konqueror_home_t) manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t) relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t) relabel_files_pattern($2, konqueror_home_t, konqueror_home_t) relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t) userdom_stream_connect(konqueror_t) # Allow konqueror to acquire dbus service from user domain and chat with konqueror # This is workaround for not yet implemented interface in dbus optional_policy(` gen_require(` class dbus acquire_svc; ') allow konqueror_t $2:dbus acquire_svc; ') konqueror_dbus_chat($2) ') ######################################## ## ## Execute a domain transition to run konqueror. ## ## ## ## Domain allowed to transition. ## ## # interface(`konqueror_domtrans',` gen_require(` type konqueror_t; type konqueror_exec_t; ') domtrans_pattern($1,konqueror_exec_t,konqueror_t) ') ######################################## ## ## Search konqueror rw directories. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_search_home',` gen_require(` type konqueror_home_t; ') allow $1 konqueror_home_t:dir search_dir_perms; files_search_rw($1) userdom_search_user_home_dirs($1) ') ######################################## ## ## Read konqueror rw files. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_read_home_files',` gen_require(` type konqueror_home_t; ') allow $1 konqueror_home_t:file read_file_perms; allow $1 konqueror_home_t:dir list_dir_perms; files_search_rw($1) userdom_search_user_home_dirs($1) ') ######################################## ## ## Manage konqueror_home_t files. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_manage_home_files',` gen_require(` type konqueror_home_t; ') manage_files_pattern($1,konqueror_home_t,konqueror_home_t); userdom_search_user_home_dirs($1) ') ######################################## ## ## Manage konqueror_home_t symlinks. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_manage_home_symlinks',` gen_require(` type konqueror_home_t; ') manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t); userdom_search_user_home_dirs($1) ') ######################################## ## ## Manage konqueror_home_t directories. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_manage_home_dirs',` gen_require(` type konqueror_home_t; ') manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t); userdom_search_user_home_dirs($1) ') ######################################## ## ## Send and receive messages from ## konqueror over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`konqueror_dbus_chat',` gen_require(` type konqueror_t; class dbus send_msg; ') allow $1 konqueror_t:dbus send_msg; allow konqueror_t $1:dbus send_msg; ') ######################################## ## ## All of the rules required to administrate ## an konqueror environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the konqueror domain. ## ## ## ## ## The type of the user terminal. ## ## ## # interface(`konqueror_admin',` gen_require(` type konqueror_t; ') allow $1 konqueror_t:process { ptrace signal_perms getattr }; read_files_pattern($1, konqueror_t, konqueror_t) konqueror_manage_home($1) optional_policy(` kde_manage_tmp($1) ') ')