From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 26 Nov 2016 15:32:07 +0100 Subject: [refpolicy] [PATCH v2] Apache OpenOffice module In-Reply-To: References: <1480113700.5692.4.camel@trentalancia.net> Message-ID: <1480170727.23096.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a minimal patch that I am testing to support Apache OpenOffice with its own module. The file contexts (and initial tests) are based on the default installation path for version 4 of the office suite. This second version includes revisions from Dominick Grift. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/openoffice.fc | 30 ++++++++++++ policy/modules/contrib/openoffice.if | 48 ++++++++++++++++++++ policy/modules/contrib/openoffice.te | 81 +++++++++++++++++++++++++++++++++++ policy/modules/roles/staff.te | 4 + policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 4 + policy/modules/services/xserver.if | 19 ++++++++ policy/modules/system/libraries.fc | 2 8 files changed, 192 insertions(+) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100 @@ -0,0 +1,30 @@ +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) + +/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100 @@ -0,0 +1,48 @@ +## Openoffice suite. + +############################################################ +## +## Role access for openoffice. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`ooffice_role',` + gen_require(` + attribute_role ooffice_roles; + type ooffice_t, ooffice_exec_t; + ') + + roleattribute $1 ooffice_roles; + + domtrans_pattern($2, ooffice_exec_t, ooffice_t) + + allow $2 ooffice_t:process { ptrace signal_perms }; + ps_process_pattern($2, ooffice_t) +') + +######################################## +## +## Run openoffice in its own domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ooffice_domtrans',` + gen_require(` + type ooffice_t, ooffice_exec_t; + ') + + domtrans_pattern($1, ooffice_exec_t, ooffice_t) +') diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-26 15:26:20.200580983 +0100 @@ -0,0 +1,81 @@ +policy_module(openoffice, 1.0.0) + +############################## +# +# Declarations +# + +attribute_role ooffice_roles; + +type ooffice_t; +type ooffice_exec_t; +userdom_user_application_domain(ooffice_t, ooffice_exec_t) +role ooffice_roles types ooffice_t; + +type ooffice_home_t; +userdom_user_home_content(ooffice_home_t) + +type ooffice_tmp_t; +files_tmp_file(ooffice_tmp_t) + +############################## +# +# Openoffice local policy +# + +allow ooffice_t self:process { execmem signal }; +allow ooffice_t self:shm create_shm_perms; +allow ooffice_t self:fifo_file rw_fifo_file_perms; +allow ooffice_t self:unix_stream_socket connectto; + +allow ooffice_t ooffice_home_t:dir manage_dir_perms; +allow ooffice_t ooffice_home_t:file manage_file_perms; +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, { dir file lnk_file }) + +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) + +can_exec(ooffice_t, ooffice_exec_t) + +corecmd_exec_bin(ooffice_t) +corecmd_exec_shell(ooffice_t) + +auth_use_nsswitch(ooffice_t) + +dev_read_sysfs(ooffice_t) +dev_read_urand(ooffice_t) + +files_read_etc_files(ooffice_t) +files_read_usr_files(ooffice_t) + +fs_getattr_xattr_fs(ooffice_t) + +miscfiles_read_fonts(ooffice_t) +miscfiles_read_localization(ooffice_t) + +userdom_manage_user_home_content_dirs(ooffice_t) +userdom_manage_user_home_content_files(ooffice_t) +userdom_manage_user_home_content_symlinks(ooffice_t) + +optional_policy(` + cups_read_config(ooffice_t) + cups_stream_connect(ooffice_t) +') + +optional_policy(` + dbus_all_session_bus_client(ooffice_t) +') + +optional_policy(` + hostname_exec(ooffice_t) +') + +optional_policy(` + xserver_read_user_iceauth(ooffice_t) + xserver_read_user_xauth(ooffice_t) + xserver_read_xdm_tmp_files(ooffice_t) + xserver_stream_connect(ooffice_t) +') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200 +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100 @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200 +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100 @@ -721,6 +721,10 @@ optional_policy(` ') optional_policy(` + ooffice_role(sysadm_r, sysadm_t) +') + +optional_policy(` openct_admin(sysadm_t, sysadm_r) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200 +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100 @@ -114,6 +114,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(user_r, user_t) + ') + + optional_policy(` postgresql_role(user_r, user_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200 +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100 @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',` ######################################## ## +## Read all users .ICEauthority. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + allow $1 iceauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## ## Set the attributes of the X windows console named pipes. ## ## diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200 +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100 @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)