From: domg472@gmail.com (Dominick Grift) Date: Sat, 30 Jan 2010 21:59:22 +0100 Subject: [refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work. In-Reply-To: <201001302002.16539.Nicky726@gmail.com> References: <201001302002.16539.Nicky726@gmail.com> Message-ID: <4B649DAA.2020209@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/30/2010 08:02 PM, Nicky726 wrote: > Thanks for your comments, I'll provide a better patch soon. In the meantime > just some notes and questions. > >>> +# Temp acces for konqueror >>> +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t) >>> +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t) >>> +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t) >>> +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t) >> >> This does probably require the user to be able to manage it Well this content (i assume) is shared between konqueror and users. So in that case users must be able to manage this content. > What do you mean by this? > >>> + konqueror_role(staff_r, staff_t) >>> +') >>> + >> >> Should probably go into userdomain (common use template), but i believe >> that for reference policy these calls are not required at all (gets >> called automatically) >> >>> + konqueror_role(user_r, user_t) >>> +') Fedora calls role templates in userdom.if (the common user template) Refpolicy (i think) uses a mechanism that automatically calls the per role templates. So you do not have to call the template explicitly like you do above. >> Same as above >> >>> + konqueror_role(unconfined_r, unconfined_t) >>> +') >>> + >> >> Not sure whether it is a good idea run let unconfined_t transition > > Well I'm definitely confused about where to place these calls. Fedora has it > somewhere, refpolicy elsewhere. Could somebody provide explanation about it? > >> >>> +HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_ >>> r:konqueror_home_t,s0) + >>> +HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_ >>> r:konqueror_home_t,s0) + >>> +HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:ob >>> ject_r:konqueror_home_t,s0) + >>> +HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:obj >>> ect_r:konqueror_home_t,s0) + >>> +HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r >>> :konqueror_home_t,s0) + >>> +HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:ko >>> nqueror_home_t,s0) >> >> Why not just kde_shared_home_t for everything in ~/.kde >> > > Well, I hope this policy to be just a first step in constructing policies for > other KDE aplications, which I think should be also confined from each other, > so that e.g. a weakness in KDE browser would not endager contacts in KDE mail > client. > I see. The issue i guess is the "filetrans_pattern". It is not in the base module. That means you will probably use it in an optional policy block Also you will not be able to use attributes for this type of content properly. Other than that i agree that it is a good idea. The problem is that refpolicy propbably will not accept it. >>> +gen_tunable(konqueror_exec_bin_t, false) >> >> This shouldnt be tunable > > Hm, I made it tunable, because I didn't feel quite right to let konqueror run > bin_t just because of some bug reporting tool. Maybe that was not good idea... > Any special reasons why it sould not be tunable? Well i think tunables should only de used for things that affect security in significant ways. You could consider to just dontaudit it altogether although that is not a proper solution either. > Thanx for your time, > Ondrej Vadinsk? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100130/89a9f587/attachment.bin