From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 29 Nov 2016 15:05:04 +0100
Subject: [refpolicy] [PATCH] Apache OpenOffice module
In-Reply-To: <f7425600-f061-a7f0-6cc0-75820552d8ce@gmail.com>
References: <1480113700.5692.4.camel@trentalancia.net>
	<cd596863-baf6-119b-c6d6-f5c4514fca7b@gmail.com>
	<add38373-4cca-dd58-3b3f-bc25307f544e@ieee.org>
	<f7425600-f061-a7f0-6cc0-75820552d8ce@gmail.com>
Message-ID: <1480428304.4743.6.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

On Tue, 29/11/2016 at 12.51 +0100, Dominick Grift via refpolicy wrote:
> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
> > 
> > On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> > > 
> > > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> > > > 
> > > > This is a minimal patch that I am testing to support Apache
> > > > OpenOffice
> > > > with its own module.
> > > > 
> > > > The file contexts (and initial tests) are based on the default
> > > > installation path for version 4 of the office suite.
> > > > 
> > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > > ---
> > [...]
> > > 
> > > 
> > > I am personally of the opinion that this module probably will not
> > > cut it
> > > in the end. Basically because it's too limited, especially
> > > considering
> > > that it uses dbus.
> > 
> > I'm unclear what the purpose of this policy is.??Users aren't going
> > to
> > expect this kind of limitation.??They should be able to edit
> > whatever
> > their user domain has access to, i.e. the same reason vim doesn't
> > have a
> > policy.
> > 
> 
> vim is a text editor. open/libre office is a office suite.
> 
> I do not believe that anyone expects the latter to be able to manage
> config, data and cache files.

It only reads ~/.cache and ~/.config, while it also needs to manage
~/.local/share files.

Indeed, on the system that I am using, it is confined by enforcing the
above. It works really well !

On the other hand, the patch proposed here simplifies things by
allowing it to manage the whole home directory content.

Of course, it can always be extended at a later time to enforce
stricter file permissions on the above mentioned hidden directories by
rethinking the whole desktop file contexts and security. But, as a
first step, I suppose the proposed module is enough.

> If you want to enforce some integrity on the desktop then you have to
> draw the line somewhere sometimes. I suppose that is what enforcing
> integrity is all about after all...

Regards,

Guido