From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 31 Jul 2012 14:32:39 -0400 Subject: [refpolicy] kdialog and Chromium In-Reply-To: <20120727091218.GB13778@siphos.be> References: <201207271614.43908.russell@coker.com.au> <20120727091218.GB13778@siphos.be> Message-ID: <501824C7.6020505@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/27/12 05:12, Sven Vermeulen wrote: > On Fri, Jul 27, 2012 at 04:14:43PM +1000, Russell Coker wrote: >> Currently on Debian/Wheezy it's impossible to download files in Chromium when >> you are running a KDE session. >> >> Chromium launches kdialog to display the dialog box to ask where the file >> should be saves. kdialog wants to write to files such as >> ~/.kde/share/config/kdebugrc.lock which isn't permitted for mozilla_t. >> >> One possibility that occurs to me is to have kdialog transition to user_t. >> Transitioning from mozilla_t isn't generally a good thing, and breaks the case >> of running mozilla_t from multiple user domains (multiple user domains is >> essentially a broken feature of the policy anyway). >> >> Apart from modifying kdialog to not depend on the ability to write to >> kdebugrc.lock what can I do to solve this? > > Russel, sorry for sending you previous mails privately, wasn't my intention. > > As I said, I'm working on a (separate[1]) domain for chromium and hit similar > issues too (for instance when accessing ~/.pki) since I am trying to get the > browsers running without requiring access to user_home_t stuff. > > Perhaps we can allow for a sharable lock file type (kde_lock_t) and allow > the domain search rights in the kde_home_t stuff (I'm assuming these are the > domains, I don't have any kde_* stuff here) and an automated file transition > when a file with the name "kdebugrc.lock" is written in kde_home_t to > kde_lock_t ? At the moment, I don't have any suggestions beyond something like this. Not unless you want a conditional for writing out files to the home dir. > [1] Chromium itself can be built with SELinux-enabled, but then requires > that the policy supports a domain called chromium_renderer_t (which it > dynamically transitions to). It doesn't make sense to include this in the > mozilla_t domain. Is chromium_renderer_t hard coded into Chromium or does it sanely expect an appconfig file (like initrc_context or userhelper_context)? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com