From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 21 Jun 2012 14:53:27 -0400
Subject: [refpolicy] [PATCH v2]: missing file context for
 system-tools-backends (gnome)
In-Reply-To: <1340304079.2992.37.camel@vortex>
References: <1340226181.23287.2.camel@vortex>
	<1340268079.9690.35.camel@x220.mydomain.internal>
	<1340300284.2992.9.camel@vortex>
	<1340301537.9690.45.camel@x220.mydomain.internal>
	<1340302019.9690.46.camel@x220.mydomain.internal>
	<1340304079.2992.37.camel@vortex>
Message-ID: <4FE36DA7.2020803@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2012 02:41 PM, Guido Trentalancia wrote:
> Hello Dominick.
> 
> On Thu, 2012-06-21 at 20:06 +0200, Dominick Grift wrote:
>> And by the way the file context specification belongs in corecommands.fc 
>> file because of type bin_t.
> 
> I am not sure why you suggest a different name for the boolean, when the 
> rest of the policy uses the "allow_" prefix for booleans that 
> activate/deactivate support for components/packages.
> 
> However, here is a revised version with the amendments:
> 
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-05-29
> 21:13:09.426703690 +0200 +++
> refpolicy-04062012-system-tools-backends/policy/modules/kernel/corecommands.fc
> 2012-06-21 20:30:47.631775829 +0200 @@ -295,6 +295,7 @@
> ifdef(`distro_gentoo',` /usr/share/shorewall-lite(/.*)?
> gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)?
> gen_context(system_u:object_r:bin_t,s0) 
> /usr/share/spamassassin/sa-update\.cron
> gen_context(system_u:object_r:bin_t,s0) 
> +/usr/share/system-tools-backends.*/scripts/SystemToolsBackends.pl	--
> gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)?	--
> gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> 
> --- refpolicy-04062012/policy/modules/contrib/dbus.fc	2011-09-09
> 18:29:23.566610878 +0200 +++
> refpolicy-04062012-system-tools-backends/policy/modules/contrib/dbus.fc
> 2012-06-21 20:30:57.117774699 +0200 @@ -12,6 +12,8 @@
> 
> /var/run/dbus(/.*)?
> gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> 
> +/var/cache/system-tools-backends(/.*)?
> gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + 
> ifdef(`distro_redhat',` /var/named/chroot/var/run/dbus(/.*)?
> gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ') ---
> refpolicy-04062012/policy/modules/contrib/dbus.te	2011-09-09
> 18:29:23.566610878 +0200 +++
> refpolicy-04062012-system-tools-backends/policy/modules/contrib/dbus.te
> 2012-06-21 20:32:21.612867416 +0200 @@ -9,6 +9,13 @@ gen_require(` #
> Delcarations #
> 
> +## <desc> +## <p> +## Determine whether system-tools-backends is
> supported. +## </p> +## </desc> +gen_tunable(system_tools_backends_support,
> true) + attribute dbusd_unconfined; attribute session_bus_type;
> 
> @@ -112,6 +119,12 @@ corecmd_list_bin(system_dbusd_t) 
> corecmd_read_bin_pipes(system_dbusd_t) 
> corecmd_read_bin_sockets(system_dbusd_t)
> 
> +# needed for system-tools-backends 
> +tunable_policy(`allow_system_tools_backends',` +
> corecmd_exec_bin(system_dbusd_t) +	corecmd_exec_shell(system_dbusd_t) +') 
> + domain_use_interactive_fds(system_dbusd_t) 
> domain_read_all_domains_state(system_dbusd_t)
> 
> 
> Regards,
> 
> Guido
> 
>> On Thu, 2012-06-21 at 19:58 +0200, Dominick Grift wrote:
>>> On Thu, 2012-06-21 at 19:38 +0200, Guido Trentalancia wrote:
>>>> Hello Dominick.
>>>> 
>>>> On Thu, 2012-06-21 at 10:41 +0200, Dominick Grift wrote:
>>>>> On Wed, 2012-06-20 at 23:03 +0200, Guido Trentalancia wrote:
>>>>>> I think the following file context is still missing in current
>>>>>> reference policy for an optional Gnome package (that shouldn't
>>>>>> need its own policy):
>>>>>> 
>>>>>> Add the generic binary executable label to the script from System
>>>>>> Tools Backends.
>>>>>> 
>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- 
>>>>>> policy/modules/contrib/gnome.fc |    2 ++ 1 file changed, 2
>>>>>> insertions(+)
>>>>>> 
>>>>>> --- refpolicy-04062012/policy/modules/contrib/gnome.fc	2011-09-09
>>>>>> 18:29:23.571610910 +0200 +++
>>>>>> refpolicy-04062012-system-tools-backends/policy/modules/contrib/gnome.fc
>>>>>> 2012-06-20 22:41:01.448465819 +0200 @@ -7,3 +7,5 @@
>>>>>> HOME_DIR/\.gnome2(/.*)?		gen_context(sys /tmp/gconfd-USER/.*	--
>>>>>> gen_context(system_u:object_r:gconf_tmp_t,s0)
>>>>>> 
>>>>>> /usr/libexec/gconfd-2 	--
>>>>>> gen_context(system_u:object_r:gconfd_exec_t,s0) + 
>>>>>> +/usr/share/system-tools-backends-2.0/scripts/SystemToolsBackends.pl
>>>>>> --	gen_context(system_u:object_r:bin_t,s0)
>>>>>> 
>>>>> 
>>>>> This specification only applies to "-2.0". Can you make it more
>>>>> generic?
>>>>> 
>>>>> Maybe something like:
>>>>> 
>>>>> /usr/share/system-tools-backends.*/scripts/SystemToolsBackends.pl
>>>>> 
>>>>> will work?
>>>> 
>>>> Yes, good point.
>>>> 
>>>> Also, it would better fit into the dbus module rather than the gnome 
>>>> one.
>>>> 
>>>> And I think when it is actually getting used, for example by 
>>>> gnome-system-tools, it needs at least some policy modifications to
>>>> the dbus module (e.g. corecmd_exec_shell+corecmd_exec_bin), so it's a
>>>> bit more complicated than just that.
>>>> 
>>>> Perhaps, this is a better starting point ?
>>> 
>>> I dont know what this package actually is except to its description
>>> 
>>> "a set of cross-platform modules for Linux, FreeBSD and other Unix 
>>> systems. The backends provide an common DBus interface to all
>>> platforms to modify or read the system configuration in a distro
>>> independent fashion. "
>>> 
>>> Looking at the fedora policy seems it only needs:
>>> 
>>> # needed for system-tools-backends corecmd_exec_shell(system_dbusd_t)
>>> 
>>> Whether this should allowed conditionally is debatable i guess.
>>> 
>>> Fedora allows it unconditionally.
>>> 
>>> I guess fedora decided to run this in the system_dbusd_t domain rather 
>>> than in a private domain. I am not sure why that was decided and if 
>>> thats optimal.
>>> 
>>> Also dont prepend your boolean names with "allow", prepend it with the 
>>> name if the module that has it declared or something: 
>>> dbus_system_tools_backend_support or something (not even sure whther 
>>> this belongs in the dbus module)
>>> 
>>> Description should be something like: "Determine whether system tools 
>>> backend is supported" or whatever.
>>> 
>>>> --- refpolicy-04062012/policy/modules/contrib/dbus.fc	2011-09-09
>>>> 18:29:23.566610878 +0200 +++
>>>> refpolicy-04062012-system-tools-backends/policy/modules/contrib/dbus.fc
>>>> 2012-06-21 19:25:26.577167925 +0200 @@ -8,10 +8,14 @@ 
>>>> /usr/bin/dbus-daemon(-1)? --
>>>> gen_context(system_u:object_r:dbusd_exec_t,s0) 
>>>> /usr/libexec/dbus-daemon-launch-helper --
>>>> gen_context(system_u:object_r:dbusd_exec_t,s0)
>>>> 
>>>> +/usr/share/system-tools-backends.*/scripts/SystemToolsBackends.pl	--
>>>> gen_context(system_u:object_r:bin_t,s0) + /var/lib/dbus(/.*)?
>>>> gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
>>>> 
>>>> /var/run/dbus(/.*)?
>>>> gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
>>>> 
>>>> +/var/cache/system-tools-backends(/.*)?
>>>> gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + 
>>>> ifdef(`distro_redhat',` /var/named/chroot/var/run/dbus(/.*)?
>>>> gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ') ---
>>>> refpolicy-04062012/policy/modules/contrib/dbus.te	2011-09-09
>>>> 18:29:23.566610878 +0200 +++
>>>> refpolicy-04062012-system-tools-backends/policy/modules/contrib/dbus.te
>>>> 2012-06-21 19:22:02.830368908 +0200 @@ -9,6 +9,13 @@ gen_require(` #
>>>> Delcarations #
>>>> 
>>>> +## <desc> +## <p> +## Enable support for system-tools-backends. +##
>>>> </p> +## </desc> +gen_tunable(allow_system_tools_backends, false) + 
>>>> attribute dbusd_unconfined; attribute session_bus_type;
>>>> 
>>>> @@ -112,6 +119,12 @@ corecmd_list_bin(system_dbusd_t) 
>>>> corecmd_read_bin_pipes(system_dbusd_t) 
>>>> corecmd_read_bin_sockets(system_dbusd_t)
>>>> 
>>>> +# needed for system-tools-backends 
>>>> +tunable_policy(`allow_system_tools_backends',` +
>>>> corecmd_exec_bin(system_dbusd_t) +
>>>> corecmd_exec_shell(system_dbusd_t) +') + 
>>>> domain_use_interactive_fds(system_dbusd_t) 
>>>> domain_read_all_domains_state(system_dbusd_t)
> 
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 


I can't seem to find this package in Fedora 18?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk/jbacACgkQrlYvE4MpobOSGQCXUFHtI2IWmWhCO6sKB9jKSFj1
rwCgoMwMrORcCIlKiOnNta9vWfQC7Ng=
=ASMb
-----END PGP SIGNATURE-----