From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 04 Dec 2016 16:20:01 +0100 Subject: [refpolicy] [PATCH v7 1/2] Apache OpenOffice module (base policy part) In-Reply-To: <1480860286.13582.1.camel@trentalancia.net> References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <1480506047.4743.15.camel@trentalancia.net> <129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org> <1480677871.3915.6.camel@trentalancia.net> <1480860286.13582.1.camel@trentalancia.net> Message-ID: <1480864801.13582.12.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a patch that I have created and tested to support Apache OpenOffice with its own module (base policy part, 1/2). The file contexts (and initial tests) are based on the default installation path for version 4 of the office suite. Since the second version it includes revisions from Dominick Grift. Since the third version it should correctly manage files in home directories and allow some other major functionality. The fourth version of the patch introduces a boolean to enable or disable software updates from the network (application and/or extensions). The fifth version of the patch adds the ability to connect to the X display manager (XDM) using Unix domain sockets (interface xserver_stream_connect_xdm()). Also the fifth version splits the whole patch into separate base policy / contrib policy patches as required. The sixth version of this patch removes obsolete executable permission from the unconfined module. This seventh version brings no changes in the base part of the patch. Signed-off-by: Guido Trentalancia --- policy/modules/roles/staff.te | 4 ++++ policy/modules/roles/sysadm.te | 4 ++++ policy/modules/roles/unprivuser.te | 4 ++++ policy/modules/services/xserver.if | 19 +++++++++++++++++++ policy/modules/system/libraries.fc | 2 ++ policy/modules/system/unconfined.fc | 1 - 6 files changed, 33 insertions(+), 1 deletion(-) diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-12-04 14:08:03.779762377 +0100 +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-12-02 15:27:20.272710161 +0100 @@ -141,6 +142,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-12-04 14:08:03.793762581 +0100 +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-12-02 15:26:58.253515665 +0100 @@ -721,6 +721,10 @@ optional_policy(` ') optional_policy(` + ooffice_role(sysadm_r, sysadm_t) +') + +optional_policy(` openct_admin(sysadm_t, sysadm_r) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-12-04 14:08:03.794762596 +0100 +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-12-02 15:26:24.077227786 +0100 @@ -114,6 +115,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(user_r, user_t) + ') + + optional_policy(` postgresql_role(user_r, user_t) ') diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-04 14:08:03.794762596 +0100 +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-04 14:08:26.795097338 +0100 @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',` ######################################## ## +## Read all users .ICEauthority. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + allow $1 iceauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## ## Set the attributes of the X windows console named pipes. ## ## diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-12-04 14:08:03.795762611 +0100 +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100 @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) diff -pruN refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc refpolicy-git-25112016/policy/modules/system/unconfined.fc --- refpolicy-git-25112016-orig/policy/modules/system/unconfined.fc 2016-08-14 21:24:48.971382400 +0200 +++ refpolicy-git-25112016/policy/modules/system/unconfined.fc 2016-12-04 14:19:24.768673321 +0100 @@ -6,7 +6,6 @@ /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)