From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 31 Jul 2012 21:13:13 +0200 Subject: [refpolicy] kdialog and Chromium In-Reply-To: <501824C7.6020505@tresys.com> References: <201207271614.43908.russell@coker.com.au> <20120727091218.GB13778@siphos.be> <501824C7.6020505@tresys.com> Message-ID: <20120731191312.GB17454@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Jul 31, 2012 at 02:32:39PM -0400, Christopher J. PeBenito wrote: > On 07/27/12 05:12, Sven Vermeulen wrote: > > As I said, I'm working on a (separate[1]) domain for chromium and hit similar > > issues too (for instance when accessing ~/.pki) since I am trying to get the > > browsers running without requiring access to user_home_t stuff. > > > > Perhaps we can allow for a sharable lock file type (kde_lock_t) and allow > > the domain search rights in the kde_home_t stuff (I'm assuming these are the > > domains, I don't have any kde_* stuff here) and an automated file transition > > when a file with the name "kdebugrc.lock" is written in kde_home_t to > > kde_lock_t ? > > At the moment, I don't have any suggestions beyond something like this. Not > unless you want a conditional for writing out files to the home dir. I'm actually more inclined (and am trying to) support a downloads type where browsers have the necessary rights to, but nowhere else. Browsers are a too public attack vector lately so the less I need it to write (or even read) user home content the better. > > [1] Chromium itself can be built with SELinux-enabled, but then requires > > that the policy supports a domain called chromium_renderer_t (which it > > dynamically transitions to). It doesn't make sense to include this in the > > mozilla_t domain. > > Is chromium_renderer_t hard coded into Chromium or does it sanely expect an > appconfig file (like initrc_context or userhelper_context)? It's currently hardcoded, but I think it is because of inexperience: ~$ grep -HR chromium_renderer_t ~/Development/build/tmp/chromium-20.0.1132.43/ content/browser/zygote_main_linux.cc: SELinuxTransitionToTypeOrDie("chromium_renderer_t"); Wkr, Sven Vermeulen