From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 01 Aug 2012 16:41:27 +0200 Subject: [refpolicy] kdialog and Chromium In-Reply-To: References: <201207271614.43908.russell@coker.com.au> <20120727091218.GB13778@siphos.be> <501824C7.6020505@tresys.com> <20120731191312.GB17454@siphos.be> <5018308B.4040008@tresys.com> <20120731192849.GD17454@siphos.be> <1343775587.23552.4.camel@d30.localdomain> <1343776837.23552.20.camel@d30.localdomain> Message-ID: <1343832087.28996.6.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-01 at 08:47 +0200, Sven Vermeulen wrote: > > On Wed, 2012-08-01 at 00:59 +0200, Dominick Grift wrote: > > In a perfect freedesktop home directory all app config, data and > cache > > content is in ~/.config, ~/.cache and /.local/share. That in my view > is > > what we should focus on first. Then all the app config, data and > cache > > content that is not currently in a proper freedesktop xdg location. > > > > Many user applications need full access to generic user home > content. > > > > Consider you uploading a photo from ~/Pictures to picassa , a > ~/Videos > > to youtube or downloading some content to ~/Downloads with your > browser > > or as an attachment with your mail client or whatever > > > > Think carefully about this please. > > > > It is just not that easy to do. To do this properly or at least > build a > > solid foundation you need to confine the layer between the user, > user > > apps and the system. Namely the Desktop environment. > > > > This will introduce other issues, where users run apps that run apps > > that run apps on your behalf. How to tell SELinux on whos behalf the > app > > runs? (user role prefixed types is one way) > > > > I believe its better to think about all these issues first and get > some > > consensus on that. It might save some work and time in the long run. > > User content is a generic type and is currently used for *all* that > users' > content. In my opinion, it is like we would only have var_t and > nothing else. If you are going to compare it to for example var_t then the generic type for user content is user_home_dir_t in my view. But you cannot compare it > Confinement of the userspace is a different animal than confinement of > the > services or daemons - the latter have a much better defined behavior > than > users. > > However, that doesn't mean we can't provide better confinement for > user-ran > applications too. My first focus now is to handle browsers > (individually) > and allow administrators to define the access for these browsers. > Browsers are complex beasts. They can run all kinds of things on behalf of the user. Consider media players, plugins, mail clients etc. To confine a browser in my view means to confine any of these user applications. Needless to say that all these individual applications also interact with and operate on other dependencies. > I don't agree with your viewpoint that browsers need read/write access > to > all content, but I don't have to. SELinux supports booleans, and I'm > going > to use that to allow administrators to define the different 'levels' > of > access. > > chromium_read_user_content (default: true) > chromium_manage_user_content (default: false) > > With these booleans you have the ability to control for your situation > what you believe matches your expectations (namely read/write access > to > user content) whereas I can limit the access to just the downloads > stuff. > > I tend to use SELinux booleans as the USE flags in Gentoo: users > (admins) > set them according to their beliefs and needs, and the system adapts > to > it. > > Wkr, > Sven Vermeulen > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy