From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 03 Dec 2016 17:11:20 +0100
Subject: [refpolicy] [PATCH] Apache OpenOffice module
In-Reply-To: <CAJ2a_DcvwwB+CeB-nU-MmcUrsjrmkJ7j1m_kTmNaM4f_+Lt=MQ@mail.gmail.com>
References: <1480113700.5692.4.camel@trentalancia.net>
	<cd596863-baf6-119b-c6d6-f5c4514fca7b@gmail.com>
	<add38373-4cca-dd58-3b3f-bc25307f544e@ieee.org>
	<f7425600-f061-a7f0-6cc0-75820552d8ce@gmail.com>
	<848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org>
	<5ebcef67-c5cd-2c1d-0ed3-3b2178c1c88b@gmail.com>
	<384904fc-7486-e10f-001a-6ff58520967b@ieee.org>
	<c482df4d-cbd7-5ec6-049c-32febbe07cbe@gmail.com>
	<CAJ2a_DcvwwB+CeB-nU-MmcUrsjrmkJ7j1m_kTmNaM4f_+Lt=MQ@mail.gmail.com>
Message-ID: <1480781480.2874.7.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

On Sat, 03/12/2016 at 11.46 +0100, cgzones via refpolicy wrote:
> Some questions came up to me caused by this patch:
> 
> 1.) Why does OpenOffice needs all the files_getattr_all* permissions?

It is needed, for example, to select the email application in the
options (Tools->Options->Internet->eMail). It is harmless.

> 2.) What is the guideline whether guarding the execmem permission by
> a
> 'allow_execmem' block?

The application won't start without the execmem permission, so it is
pointless to enclose it in a tunable policy block.

> 3.) What is the guideline where to put filecontexts with base types?
> This patch contains the additions
> 
> diff -pruN refpolicy-git-25112016-
> orig/policy/modules/system/libraries.fc
> refpolicy-git-25112016/policy/modules/system/libraries.fc
> --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc
> ?2016-08-14 21:24:48.961382244 +0200
> +++ refpolicy-git-25112016/policy/modules/system/libraries.fc
> 2016-11-26 15:03:47.659294001 +0100
> @@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
> ?/opt/(.*/)?jre.*/.+\.so(\.[^/]*)*??????--
> gen_context(system_u:object_r:textrel_shlib_t,s0)
> ?/opt/(.*/)?jre/.+\.jar?????????????????--
> gen_context(system_u:object_r:lib_t,s0)
> 
> +/opt/openoffice4/program/.+\.so(\.[^/]*)*??????--
> gen_context(system_u:object_r:lib_t,s0)
> +
> ?/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --
> gen_context(system_u:object_r:textrel_shlib_t,s0)
> ?# despite the extensions, they are actually libs
> ?/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api --
> gen_context(system_u:object_r:lib_t,s0)
> 
> lib_t is defined in libraries.te so maybe it makes sense to put the
> filecontext into the belonging libraries.fc file.
> But by this method the libraries.fc file (and also the
> corecommands.fc
> one) are quite big and might contain contexts no one will ever update
> or remove, because there is no obvious relationship to a module. Just
> my thoughts.

I prefer to keep the file contexts in their proper place.

> Kindly Regards,
> ??????Christian G?ttsche

Regards,

Guido