From: nicky726@gmail.com (Nicky726)
Date: Wed, 27 Jan 2010 16:23:36 +0100
Subject: [refpolicy] Basic policy for KDE and Konqueror, third look
In-Reply-To: <1253107894.27614.45.camel@gorn.columbia.tresys.com>
References: <200909141120.35378.Nicky726@gmail.com>
	<1253107894.27614.45.camel@gorn.columbia.tresys.com>
Message-ID: <201001271623.37040.Nicky726@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

here I am again after some time, with my Konqueror policy related questions. I 
was too busy with the school, but by now I managed to incorporate almost all 
commets by Chris PeBenito, I only need to do some testing, which is where I 
got stuck again.

I've got this ugly hack just for testing purposes:

gen_require(`
               type unconfined_t;
               role unconfined_r;
       ')

konqueror_role(unconfined_r, unconfined_t)

in konqueror.te so that Konqueror is run in correct context. (work-in-progress 
.if file inculeded). Problem is that, when I run Konqueror, context is not 
changed, it still is unconfined... 

Did I missed some revolutionary change in refpolicy or Fedora in last 4 
months, which causes this, or have I some stupid mistake in my policy? 

I was also trying to put this konqueror_role call somewhere, where it should 
be -- not that I'm sure, where it is, as there is big difference between 
refpolicy and Fedora. To make it short there is too much code for me to 
follow, and too much changes in Fedora policy patches. How do the refpolicy 
developpers test their policies btw? 

Guess thats all for now. Thanks for your answers and patience,
Ondrej Vadinsky 
-- 
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.

		(Joni Mitchell)
-------------- next part --------------
## <summary>Konqueror KDE web browser</summary>

########################################
## <summary>
##	Role access for konqueror
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`konqueror_role',`
	gen_require(`
		type konqueror_t, konqueror_exec_t, konqueror_home_t;
	')

	#TODO Test what is really needed!

	role $1 types konqueror_t;

	konqueror_domtrans($2)
	# Unrestricted inheritance from the caller.
	allow konqueror_t $2:fd use;
	allow konqueror_t $2:process signal_perms; 
	dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };

	# Allow the user domain to signal/ps.
	ps_process_pattern($2, konqueror_t)
	allow $2 konqueror_t:process signal_perms;

	allow $2 konqueror_t:fd use;
	allow $2 konqueror_t:shm { associate getattr };
	allow $2 konqueror_t:shm { unix_read unix_write };
	allow $2 konqueror_t:unix_stream_socket connectto;

	# X access, Home files
	manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
	manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
	manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)

	userdom_stream_connect(konqueror_t)

	# Allow konqueror to acquire dbus service from user domain and chat with konqueror
	# This is workaround for not yet implemented interface in dbus
	optional_policy(`
		gen_require(`
			class dbus acquire_svc;
		')
		allow konqueror_t $2:dbus acquire_svc;
	')
	konqueror_dbus_chat($2)
')

########################################
## <summary>
##	Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
	gen_require(`
		type konqueror_t;
                type konqueror_exec_t;
	')

	domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')


########################################
## <summary>
##	Search konqueror rw directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_search_home',`
	gen_require(`
		type konqueror_home_t;
	')

	allow $1 konqueror_home_t:dir search_dir_perms;
	files_search_rw($1)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Read konqueror rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_read_home_files',`
	gen_require(`
		type konqueror_home_t;
	')

	allow $1 konqueror_home_t:file read_file_perms;
	allow $1 konqueror_home_t:dir list_dir_perms;
	files_search_rw($1)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Manage konqueror_home_t files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_manage_home_files',`
	gen_require(`
		type konqueror_home_t;
	')

	manage_files_pattern($1,konqueror_home_t,konqueror_home_t);
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Manage konqueror_home_t symlinks.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_manage_home_symlinks',`
	gen_require(`
		type konqueror_home_t;
	')

	manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t);
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Manage konqueror_home_t directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_manage_home_dirs',`
	gen_require(`
		type konqueror_home_t;
	')

	manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t);
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Send and receive messages from
##	konqueror over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_dbus_chat',`
	gen_require(`
		type konqueror_t;
		class dbus send_msg;
	')
	allow $1 konqueror_t:dbus send_msg;
	allow konqueror_t $1:dbus send_msg;
')

########################################
## <summary>
##	All of the rules required to administrate 
##	an konqueror environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the konqueror domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the user terminal.
##	</summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
	gen_require(`
		type konqueror_t;
	')

	allow $1 konqueror_t:process { ptrace signal_perms getattr };
	read_files_pattern($1, konqueror_t, konqueror_t)
	        
	konqueror_manage_home($1)

	optional_policy(`
		kde_manage_tmp($1)
	')
')