From: jsolt@tresys.com (Jeremy Solt) Date: Fri, 10 Sep 2010 11:23:29 -0400 Subject: [refpolicy] Policy for Konqueror and KDE v8 In-Reply-To: <201009011924.20507.Nicky726@gmail.com> References: <201009011924.20507.Nicky726@gmail.com> Message-ID: <1284132209.1749.22.camel@jeremy-ubuntu> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-09-01 at 19:24 +0200, Nicky726 wrote: > Hello, > > here I'm again with my policy for KDE and Konqueror after some time. I upgraded > the policy to work with Konqueror 4.4.5 under KDE 4.4.5 and to compile with > current git refpolicy. Would you have any comments about the policy? > > Thanx in advance, > Ondrej Vadinsky. > > interface(`kde_read_home_files',` > gen_require(` > type kde_home_t; > ') > > allow $1 kde_home_t:file read_file_perms; > allow $1 kde_home_t:dir list_dir_perms; > userdom_search_user_home_dirs($) > ') You should use read_files_pattern here, unless list is really needed. > +interface(`konqueror_role',` > + gen_require(` > + type konqueror_t, konqueror_exec_t, konqueror_home_t, konqueror_tmp_t; > + ') konqueror_exec_t, konqueror_home_t, and konqueror_tmp_t aren't used here, so they shouldn't be required. > +interface(`konqueror_read_home_files',` > + gen_require(` > + type konqueror_home_t; > + ') > + > + allow $1 konqueror_home_t:file read_file_perms; > + allow $1 konqueror_home_t:dir list_dir_perms; > + userdom_search_user_home_dirs($1) > +') Same as comment above. Use read_files_pattern unless list is really necessary. > +## > +##

> +## Allow Konqueror to run bin_t because of drkonqi > +##

> +##
> + > +gen_tunable(konqueror_exec_bin_t, false) I don't see a significant security risk in giving this corecmd_exec_bin unconditionally. But this depends on your security goals. If this was going to be upstreamed, we'll probably allow it without the tunable. > +# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine > +corecmd_dontaudit_getattr_bin_files(konqueror_t) This can be removed if you switch to using corecmd_exec_bin > +# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined > +# it'll have the right context. For now grant minimal necessary access to usr temp > +userdom_read_user_tmp_files(konqueror_t) > +userdom_write_user_tmp_files(konqueror_t) > +userdom_manage_user_tmp_sockets(konqueror_t) kde_tmp_t is declared but not used in kde.te, is this the reason for these calls? Are you planning on submitting this for inclusion in refpolicy? If so, you may want to take a look at the style guide here: http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide -- Jeremy J. Solt Tresys Technology, LLC 410-290-1411 x122