From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 26 Nov 2016 15:37:36 +0100 Subject: [refpolicy] [PATCH] Apache OpenOffice module In-Reply-To: References: <1480113700.5692.4.camel@trentalancia.net> Message-ID: <1480171056.23096.6.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, thanks very much for the revision. I have now posted a second version of the patch... On Sat, 26/11/2016 at 14.53 +0100, Dominick Grift via refpolicy wrote: > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote: > > > > This is a minimal patch that I am testing to support Apache > > OpenOffice > > with its own module. > > > > The file contexts (and initial tests) are based on the default > > installation path for version 4 of the office suite. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/openoffice.fc |???30 ++++++++++++ > > ?policy/modules/contrib/openoffice.if |???48 ++++++++++++++++++++ > > ?policy/modules/contrib/openoffice.te |???83 > > +++++++++++++++++++++++++++++++++++ > > ?policy/modules/roles/staff.te????????|????4 + > > ?policy/modules/roles/sysadm.te???????|????4 + > > ?policy/modules/roles/unprivuser.te???|????4 + > > ?policy/modules/services/xserver.if???|???19 ++++++++ > > ?policy/modules/system/libraries.fc???|????2 > > ?8 files changed, 194 insertions(+) > > > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.fc refpolicy-git- > > 25112016/policy/modules/contrib/openoffice.fc > > --- refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.fc 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc > > 2016-11-25 23:24:38.338111736 +0100 > > @@ -0,0 +1,30 @@ > > +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:o > > office_home_t,s0) > > + > > +/opt/openoffice4/program/cde-open-url -- gen > > _context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/gnome-open-url -- g > > en_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/gnome-open-url.bin -- gen_c > > ontext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/javaldx -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/kde-open-url -- gen > > _context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/open-url -- gen_con > > text(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/pagein -- g > > en_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/regcomp.bin -- gen_ > > context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/regmerge -- gen_con > > text(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/regview -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/sbase -- ge > > n_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/scalc -- ge > > n_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/sdraw -- ge > > n_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/senddoc -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/simpress -- gen_con > > text(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/smath -- ge > > n_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/soffice -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/soffice\.bin -- gen > > _context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/spadmin -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/spadmin.bin -- gen_ > > context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/startup.sh -- gen_c > > ontext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/swriter -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/uno.bin -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/unoinfo -- gen_cont > > ext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/unopkg -- g > > en_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/unopkg.bin -- gen_c > > ontext(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/unpack_update -- ge > > n_context(system_u:object_r:ooffice_exec_t,s0) > > +/opt/openoffice4/program/uri-encode -- gen_c > > ontext(system_u:object_r:ooffice_exec_t,s0) > > escape the periods consistently to avoid regex confusion > > > > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.if refpolicy-git- > > 25112016/policy/modules/contrib/openoffice.if > > --- refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.if 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if > > 2016-11-25 23:24:38.339111745 +0100 > > @@ -0,0 +1,48 @@ > > +## Openoffice suite. > > + > > +############################################################ > > +## > > +## Role access for openoffice. > > +## > > +## > > +## > > +## Role allowed access. > > +## > > +## > > +## > > +## > > +## User domain for the role. > > +## > > +## > > +# > > +interface(`ooffice_role',` > > + gen_require(` > > + attribute_role ooffice_roles; > > + type ooffice_t, ooffice_exec_t; > > +????????') > > + > > + roleattribute $1 ooffice_roles; > > + > > + domtrans_pattern($2, ooffice_exec_t, ooffice_t) > > + > > + allow $2 ooffice_t:process { ptrace signal_perms }; > > + ps_process_pattern($2, ooffice_t) > > +') > > + > > +######################################## > > +## > > +## Run openoffice in its own domain. > > +## > > +## > > +## > > +## Domain allowed to transition. > > +## > > +## > > +# > > +interface(`ooffice_domtrans',` > > + gen_require(` > > + type ooffice_t, ooffice_exec_t; > > + ') > > + > > + domtrans_pattern($1, ooffice_exec_t, ooffice_t) > > +') > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.te refpolicy-git- > > 25112016/policy/modules/contrib/openoffice.te > > --- refpolicy-git-25112016- > > orig/policy/modules/contrib/openoffice.te 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te > > 2016-11-25 23:27:00.726425482 +0100 > > @@ -0,0 +1,83 @@ > > +policy_module(openoffice, 1.0.0) > > + > > +############################## > > +# > > +# Declarations > > +# > > + > > +attribute_role ooffice_roles; > > + > > +type ooffice_t; > > +type ooffice_exec_t; > > +userdom_user_application_domain(ooffice_t, ooffice_exec_t) > > +role ooffice_roles types ooffice_t; > > + > > +type ooffice_home_t; > > +userdom_user_home_content(ooffice_home_t) > > + > > +type ooffice_tmp_t; > > +files_tmp_file(ooffice_tmp_t) > > + > > +############################## > > +# > > +# Openoffice local policy > > +# > > + > > +allow ooffice_t self:process { execmem signal }; > > +allow ooffice_t self:shm create_shm_perms; > > +allow ooffice_t self:udp_socket create_socket_perms; > > the above indicated that it is probably an nss client > (auth_use_nsswitch()) > > > > > +allow ooffice_t self:unix_stream_socket connectto; > > + > > +allow ooffice_t ooffice_home_t:dir manage_dir_perms; > > +allow ooffice_t ooffice_home_t:file manage_file_perms; > > +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; > > lacking a auto type transition rule > (userdom_user_home_dir_filetrans()) > > > > > + > > +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > > +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > > +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > > +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file > > }) > > + > > +rw_fifo_files_pattern(ooffice_t, ooffice_t, ooffice_t) > > allow ooffice_t self rw_fifo_file_perms; (there are no dirs with type > ooffice_t other than the ones in /proc) > > > > > + > > +can_exec(ooffice_t, ooffice_exec_t) > > + > > +corecmd_exec_bin(ooffice_t) > > +corecmd_exec_shell(ooffice_t) > > + > > +dev_read_sysfs(ooffice_t) > > +dev_read_urand(ooffice_t) > > + > > +files_read_etc_files(ooffice_t) > > +files_read_usr_files(ooffice_t) > > + > > +fs_getattr_xattr_fs(ooffice_t) > > + > > +miscfiles_read_fonts(ooffice_t) > > +miscfiles_read_localization(ooffice_t) > > + > > +sysnet_read_config(ooffice_t) > > this is also part of the nss client stuff i mentioned above. Looks > like > it is getting ready to do some dns resolving > > > > > + > > +userdom_manage_user_home_content_dirs(ooffice_t) > > +userdom_manage_user_home_content_files(ooffice_t) > > +userdom_manage_user_home_content_symlinks(ooffice_t) > > +userdom_search_user_home_content(ooffice_t) > > redundant because the first three already provide the functionality > that > the fourth provides. > > > > > + > > +optional_policy(` > > + cups_read_config(ooffice_t) > > + cups_stream_connect(ooffice_t) > > +') > > + > > +optional_policy(` > > + dbus_all_session_bus_client(ooffice_t) > > +') > > + > > +optional_policy(` > > + hostname_exec(ooffice_t) > > +') > > + > > +optional_policy(` > > + xserver_read_user_iceauth(ooffice_t) > > + xserver_read_user_xauth(ooffice_t) > > + xserver_read_xdm_tmp_files(ooffice_t) > > + xserver_stream_connect(ooffice_t) > > +') > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/roles/staff.te refpolicy-git- > > 25112016/policy/modules/roles/staff.te > > --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te > > 2016-10-29 16:29:13.453156183 +0200 > > +++ refpolicy-git-25112016/policy/modules/roles/staff.te 201 > > 6-11-25 23:24:38.339111745 +0100 > > @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` > > ? ') > > ? > > ? optional_policy(` > > + ooffice_role(staff_r, staff_t) > > + ') > > + > > + optional_policy(` > > ? pyzor_role(staff_r, staff_t) > > ? ') > > ? > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > 25112016/policy/modules/roles/sysadm.te > > --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te > > 2016-10-29 16:29:13.454156211 +0200 > > +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 20 > > 16-11-25 23:24:38.340111754 +0100 > > @@ -721,6 +721,10 @@ optional_policy(` > > ?') > > ? > > ?optional_policy(` > > + ooffice_role(sysadm_r, sysadm_t) > > +') > > + > > +optional_policy(` > > ? openct_admin(sysadm_t, sysadm_r) > > ?') > > ? > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > 25112016/policy/modules/roles/unprivuser.te > > --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te > > 2016-10-29 16:29:13.454156211 +0200 > > +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te > > 2016-11-25 23:24:38.340111754 +0100 > > @@ -114,6 +114,10 @@ ifndef(`distro_redhat',` > > ? ') > > ? > > ? optional_policy(` > > + ooffice_role(user_r, user_t) > > + ') > > + > > + optional_policy(` > > ? postgresql_role(user_r, user_t) > > ? ') > > ? > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/services/xserver.if refpolicy-git- > > 25112016/policy/modules/services/xserver.if > > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if > > 2016-08-14 22:10:42.752848860 +0200 > > +++ refpolicy-git-25112016/policy/modules/services/xserver.if > > 2016-11-25 23:24:38.338111736 +0100 > > @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',` > > ? > > ?######################################## > > ?## > > +## Read all users .ICEauthority. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`xserver_read_user_iceauth',` > > + gen_require(` > > + type iceauth_home_t; > > + ') > > + > > + allow $1 iceauth_home_t:file read_file_perms; > > + userdom_search_user_home_dirs($1) > > +') > > + > > +######################################## > > +## > > ?## Set the attributes of the X windows console named pipes. > > ?## > > ?## > > diff -pruN refpolicy-git-25112016- > > orig/policy/modules/system/libraries.fc refpolicy-git- > > 25112016/policy/modules/system/libraries.fc > > --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc > > 2016-08-14 21:24:48.961382244 +0200 > > +++ refpolicy-git-25112016/policy/modules/system/libraries.fc > > 2016-11-25 23:24:38.338111736 +0100 > > @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` > > ?/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(sys > > tem_u:object_r:textrel_shlib_t,s0) > > ?/opt/(.*/)?jre/.+\.jar -- gen_contex > > t(system_u:object_r:lib_t,s0) > > ? > > +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_con > > text(system_u:object_r:lib_t,s0) > > + > > ?/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(syst > > em_u:object_r:textrel_shlib_t,s0) > > ?# despite the extensions, they are actually libs > > ?/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- > > gen_context(system_u:object_r:lib_t,s0) > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > I am personally of the opinion that this module probably will not cut > it > in the end. Basically because it's too limited, especially > considering > that it uses dbus. > > However i will leave that judgement to others, and instead i stick to > shallow reviewing, ignoring any issue of structure that i see. It allows to run OpenOffice4 with the Reference Policy. It might probably be adapted to work with previous OpenOffice versions by simply changing the file contexts. If it proves to be limited, it can always be extended later on... At the moment it works fine, as far as I can tell. However, it probably needs more testing. Regards, Guido