From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 30 Nov 2016 12:40:47 +0100 Subject: [refpolicy] [PATCH v4] Apache OpenOffice module In-Reply-To: <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> Message-ID: <1480506047.4743.15.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a minimal patch that I am testing to support Apache OpenOffice with its own module. The file contexts (and initial tests) are based on the default installation path for version 4 of the office suite. It includes revisions from Dominick Grift. Since the third version it should correctly manage files in home directories and allow some other major functionality. The fourth version of the patch introduces a boolean to enable or disable software updates from the network (application and/or extensions). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/openoffice.fc | 30 +++++++++ policy/modules/contrib/openoffice.if | 48 +++++++++++++++ policy/modules/contrib/openoffice.te | 107 +++++++++++++++++++++++++++++++++++ policy/modules/roles/staff.te | 4 + policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 4 + policy/modules/services/xserver.if | 19 ++++++ policy/modules/system/libraries.fc | 2 8 files changed, 218 insertions(+) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100 @@ -0,0 +1,30 @@ +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) + +/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100 @@ -0,0 +1,48 @@ +## Openoffice suite. + +############################################################ +## +## Role access for openoffice. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`ooffice_role',` + gen_require(` + attribute_role ooffice_roles; + type ooffice_t, ooffice_exec_t; + ') + + roleattribute $1 ooffice_roles; + + domtrans_pattern($2, ooffice_exec_t, ooffice_t) + + allow $2 ooffice_t:process { ptrace signal_perms }; + ps_process_pattern($2, ooffice_t) +') + +######################################## +## +## Run openoffice in its own domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ooffice_domtrans',` + gen_require(` + type ooffice_t, ooffice_exec_t; + ') + + domtrans_pattern($1, ooffice_exec_t, ooffice_t) +') diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-30 12:26:43.119275241 +0100 @@ -0,0 +1,107 @@ +policy_module(openoffice, 1.0.0) + +############################## +# +# Declarations +# + +## +##

+## Determine whether openoffice can +## download software updates from the +## network (application and/or +## extensions). +##

+## +gen_tunable(openoffice_allow_update, true) + +attribute_role ooffice_roles; + +type ooffice_t; +type ooffice_exec_t; +userdom_user_application_domain(ooffice_t, ooffice_exec_t) +role ooffice_roles types ooffice_t; + +type ooffice_home_t; +userdom_user_home_content(ooffice_home_t) + +type ooffice_tmp_t; +files_tmp_file(ooffice_tmp_t) + +############################## +# +# Openoffice local policy +# + +allow ooffice_t self:process { execmem getsched signal }; +allow ooffice_t self:shm create_shm_perms; +allow ooffice_t self:fifo_file rw_fifo_file_perms; +allow ooffice_t self:unix_stream_socket connectto; + +allow ooffice_t ooffice_home_t:dir manage_dir_perms; +allow ooffice_t ooffice_home_t:file manage_file_perms; +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") + +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) + +can_exec(ooffice_t, ooffice_exec_t) + +corecmd_exec_bin(ooffice_t) +corecmd_exec_shell(ooffice_t) + +dev_read_sysfs(ooffice_t) +dev_read_urand(ooffice_t) + +files_getattr_all_dirs(ooffice_t) +files_getattr_all_files(ooffice_t) +files_getattr_all_symlinks(ooffice_t) +files_read_etc_files(ooffice_t) +files_read_usr_files(ooffice_t) + +fs_getattr_xattr_fs(ooffice_t) + +miscfiles_read_fonts(ooffice_t) +miscfiles_read_localization(ooffice_t) + +sysnet_dns_name_resolve(ooffice_t) + +userdom_manage_user_home_content_dirs(ooffice_t) +userdom_manage_user_home_content_files(ooffice_t) +userdom_manage_user_home_content_symlinks(ooffice_t) +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) + +tunable_policy(`openoffice_allow_update',` + corenet_tcp_connect_http_port(ooffice_t) +') + +optional_policy(` + cups_read_config(ooffice_t) + cups_stream_connect(ooffice_t) +') + +optional_policy(` + dbus_all_session_bus_client(ooffice_t) +') + +optional_policy(` + hostname_exec(ooffice_t) +') + +optional_policy(` + java_exec(ooffice_t) +') + +optional_policy(` + mozilla_domtrans(ooffice_t) +') + +optional_policy(` + xserver_read_user_iceauth(ooffice_t) + xserver_read_user_xauth(ooffice_t) + xserver_read_xdm_tmp_files(ooffice_t) + xserver_stream_connect(ooffice_t) +') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200 +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100 @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200 +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100 @@ -721,6 +721,10 @@ optional_policy(` ') optional_policy(` + ooffice_role(sysadm_r, sysadm_t) +') + +optional_policy(` openct_admin(sysadm_t, sysadm_r) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200 +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100 @@ -114,6 +114,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(user_r, user_t) + ') + + optional_policy(` postgresql_role(user_r, user_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200 +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100 @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',` ######################################## ## +## Read all users .ICEauthority. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + allow $1 iceauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## ## Set the attributes of the X windows console named pipes. ## ## diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200 +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100 @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)