From: cgzones@googlemail.com (cgzones) Date: Sat, 3 Dec 2016 11:46:28 +0100 Subject: [refpolicy] [PATCH] Apache OpenOffice module In-Reply-To: References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <5ebcef67-c5cd-2c1d-0ed3-3b2178c1c88b@gmail.com> <384904fc-7486-e10f-001a-6ff58520967b@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Some questions came up to me caused by this patch: 1.) Why does OpenOffice needs all the files_getattr_all* permissions? 2.) What is the guideline whether guarding the execmem permission by a 'allow_execmem' block? 3.) What is the guideline where to put filecontexts with base types? This patch contains the additions diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200 +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100 @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) lib_t is defined in libraries.te so maybe it makes sense to put the filecontext into the belonging libraries.fc file. But by this method the libraries.fc file (and also the corecommands.fc one) are quite big and might contain contexts no one will ever update or remove, because there is no obvious relationship to a module. Just my thoughts. Kindly Regards, Christian G?ttsche