From: jsolt@tresys.com (Jeremy Solt)
Date: Fri, 10 Sep 2010 11:23:29 -0400
Subject: [refpolicy] Policy for Konqueror and KDE v8
In-Reply-To: <201009011924.20507.Nicky726@gmail.com>
References: <201009011924.20507.Nicky726@gmail.com>
Message-ID: <1284132209.1749.22.camel@jeremy-ubuntu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-09-01 at 19:24 +0200, Nicky726 wrote:
> Hello, 
> 
> here I'm again with my policy for KDE and Konqueror after some time. I upgraded 
> the policy to work with Konqueror 4.4.5 under KDE 4.4.5 and to compile with 
> current git refpolicy. Would you have any comments about the policy?
> 
> Thanx in advance,
> Ondrej Vadinsky.
> 


> interface(`kde_read_home_files',`
>         gen_require(`
>                 type kde_home_t;
>         ')
> 
>         allow $1 kde_home_t:file read_file_perms;
>         allow $1 kde_home_t:dir list_dir_perms;
>         userdom_search_user_home_dirs($)
> ')
You should use read_files_pattern here, unless list is really needed.


> +interface(`konqueror_role',`
> +       gen_require(`
> +               type konqueror_t, konqueror_exec_t, konqueror_home_t,
konqueror_tmp_t;
> +       ')
konqueror_exec_t, konqueror_home_t, and konqueror_tmp_t aren't used
here, so they shouldn't be required.


> +interface(`konqueror_read_home_files',`
> +       gen_require(`
> +               type konqueror_home_t;
> +       ')
> +
> +       allow $1 konqueror_home_t:file read_file_perms;
> +       allow $1 konqueror_home_t:dir list_dir_perms;
> +       userdom_search_user_home_dirs($1)
> +')
Same as comment above. Use read_files_pattern unless list is really
necessary.


> +## <desc>
> +## <p>
> +## Allow Konqueror to run bin_t because of drkonqi
> +## </p>
> +## </desc>
> +
> +gen_tunable(konqueror_exec_bin_t, false)
I don't see a significant security risk in giving this corecmd_exec_bin
unconditionally. But this depends on your security goals. If this was
going to be upstreamed, we'll probably allow it without the tunable.


> +# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> +corecmd_dontaudit_getattr_bin_files(konqueror_t)
This can be removed if you switch to using corecmd_exec_bin


> +# Now KDE temp stuff is created with user_tmp_t with more KDE aps
confined
> +# it'll have the right context. For now grant minimal necessary
access to usr temp
> +userdom_read_user_tmp_files(konqueror_t)
> +userdom_write_user_tmp_files(konqueror_t)
> +userdom_manage_user_tmp_sockets(konqueror_t)

kde_tmp_t is declared but not used in kde.te, is this the reason for
these calls? 


Are you planning on submitting this for inclusion in refpolicy? If so,
you may want to take a look at the style guide here:
http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide



-- 
Jeremy J. Solt
Tresys Technology, LLC
410-290-1411 x122