From: nicky726@gmail.com (Nicky726)
Date: Thu, 28 Jan 2010 13:09:53 +0100
Subject: [refpolicy] Policy for Konqueror and KDE, 4th look
Message-ID: <201001281309.53465.Nicky726@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hello,
I've done the necessary testing and here I am to ask more comments to my
policy for Konqueror and KDE.
>From my point of view there is just one remaining issue: as marked in
comments, I am not sure if some stuff concerning process communication is
needed, when not using targeted policy with unconfined user. Actually I don't
know how to test it, because with strict policy KDE won't even run, as there
is no policy except from this.
Do you think, that my policy is ready to be adopted to refpolicy, or should I
do some more refinement?
Thanx for your time,
Ondrej Vadinsky
--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.
(Joni Mitchell)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
-------------- next part --------------
## KDE desktop environment
########################################
##
## Search kde_shared_home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_search_home',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
##
## Read kde_shared_home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_read_home_files',`
gen_require(`
type kde_shared_home_t;
')
allow $1 kde_shared_home_t:file read_file_perms;
allow $1 kde_shared_home_t:dir list_dir_perms;
userdom_search_user_home_dirs($)
')
########################################
##
## Manage kde_shared_home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home_files',`
gen_require(`
type kde_shared_home_t;
')
manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage kde_shared_home symlinks.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home_symlinks',`
gen_require(`
type kde_shared_home_t;
')
manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage kde_shared_home dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`kde_manage_home_dirs',`
gen_require(`
type kde_shared_home_t;
')
manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
')
########################################
##
## Create file, dir, links of specified type in
## kde_shared_home_t dirs with type transition
##
##
##
## Domain allowed access
##
##
##
##
## Private type of created object
##
##
#
interface(`kde_home_filetrans',`
gen_require(`
type kde_shared_home_t;
')
kde_search_home($1)
#Filetrans needed, as the directory is of other type, than created object
filetrans_pattern($1,kde_shared_home_t,$2,{ file lnk_file sock_file dir })
')
-------------- next part --------------
policy_module(kde,0.1)
########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)
type kde_shared_home_t;
userdom_user_home_content(kde_shared_home_t)
-------------- next part --------------
/usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
-------------- next part --------------
## Konqueror KDE web browser
########################################
##
## Role access for konqueror
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
')
role $1 types konqueror_t;
konqueror_domtrans($2)
allow konqueror_t $2:process signal_perms;
dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;
# Not sure if needed, unneeded with unconfineduser
#allow $2 konqueror_t:fd use;
#allow $2 konqueror_t:shm { associate getattr };
#allow $2 konqueror_t:shm { unix_read unix_write };
#allow $2 konqueror_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
userdom_stream_connect(konqueror_t)
# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
optional_policy(`
gen_require(`
class dbus acquire_svc;
')
allow konqueror_t $2:dbus acquire_svc;
')
konqueror_dbus_chat($2)
')
########################################
##
## Execute a domain transition to run konqueror.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
##
## Search konqueror rw directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_search_home',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Read konqueror rw files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file read_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage konqueror_home_t files.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
manage_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage konqueror_home_t symlinks.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home_symlinks',`
gen_require(`
type konqueror_home_t;
')
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
##
## Manage konqueror_home_t directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_manage_home_dirs',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
##
## Send and receive messages from
## konqueror over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
########################################
##
## All of the rules required to administrate
## an konqueror environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the konqueror domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
konqueror_manage_home($1)
optional_policy(`
kde_manage_tmp($1)
')
')
-------------- next part --------------
policy_module(konqueror,0.4)
########################################
#
# Konqueror personal declarations
#
##
##
## Allow Konqueror to run bin_t because of drkonqi
##
##
gen_tunable(konqueror_exec_bin_t, false)
type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
ubac_constrained(konqueror_t)
type konqueror_home_t;
userdom_user_home_content(konqueror_home_t)
type konqueror_tmp_t;
files_tmp_file(konqueror_tmp_t)
ubac_constrained(konqueror_tmp_t)
########################################
#
# Konqueror local policy
#
#
# Allow rules and patterns
#
allow konqueror_t self:fifo_file rw_file_perms; # Internal communication using fifo
allow konqueror_t self:process getsched; # get self process priority
allow konqueror_t self:tcp_socket create_stream_socket_perms;
konqueror_dbus_chat(konqueror_t) # internal comunication done by dbus
# Temp acces for konqueror
manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
# Full access to konqueror home
konqueror_manage_home_files(konqueror_t)
konqueror_manage_home_symlinks(konqueror_t)
konqueror_manage_home_dirs(konqueror_t)
#
# Interfaces from kernel directory
#
# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
corecmd_dontaudit_getattr_bin_files(konqueror_t)
corecmd_dontaudit_exec_all_executables(konqueror_t)
# Access to ports
corenet_all_recvfrom_unlabeled(konqueror_t)
corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)
corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)
corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)
dev_read_urand(konqueror_t) #/dev/urandom
files_read_etc_files(konqueror_t)
files_read_usr_files(konqueror_t) #/usr
fs_getattr_xattr_fs(konqueror_t) # extended atributes support
kernel_read_system_state(konqueror_t) #/proc
#
# Interfaces from system directory
#
# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)
# Read localization and fonts
miscfiles_read_fonts(konqueror_t)
miscfiles_read_localization(konqueror_t)
sysnet_dns_name_resolve(konqueror_t)
# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
# it'll have the right context. For now grant minimal necessary access to usr temp
userdom_read_user_tmp_files(konqueror_t)
userdom_use_user_terminals(konqueror_t) #run from terminal
# To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
#
# Interfaces from other directories
#
xserver_read_xdm_tmp_files(konqueror_t)
xserver_read_user_xauth(konqueror_t)
xserver_stream_connect(konqueror_t) #connect to xserver
xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
#
# Tunable policies
#
tunable_policy(`konqueror_exec_bin_t',`
corecmd_exec_bin(konqueror_t)
')
#
# Optional policies
#
# Access to kde_shared_home_t, should be reduced in future
# Transition so that konqueror_home_files in kde_shared_home_t dir
# wouldn't switch to parent directory type
optional_policy(`
kde_manage_home_files(konqueror_t)
kde_manage_home_symlinks(konqueror_t)
kde_manage_home_dirs(konqueror_t)
kde_home_filetrans(konqueror_t, konqueror_home_t)
')
# For testing purpouses only!
gen_require(`
type unconfined_t;
role unconfined_r;
')
konqueror_role(unconfined_r, unconfined_t)