From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 4 Dec 2016 12:51:44 -0500 Subject: [refpolicy] [PATCH v7 2/2] Apache OpenOffice module (contrib policy part) In-Reply-To: <1480865168.13582.18.camel@trentalancia.net> References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <1480506047.4743.15.camel@trentalancia.net> <129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org> <1480677884.3915.7.camel@trentalancia.net> <1480860300.13582.3.camel@trentalancia.net> <1480865168.13582.18.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/04/16 10:26, Guido Trentalancia via refpolicy wrote: > This is a patch that I have created and tested to support Apache > OpenOffice with its own module (contrib policy part, 2/2). > > The file contexts (and initial tests) are based on the default > installation path for version 4 of the office suite. > > Since the second version it includes revisions from Dominick Grift. > > Since the third version it should correctly manage files in home > directories and allow some other major functionality. > > The fourth version of the patch introduces a boolean to enable or > disable software updates from the network (application and/or > extensions). > > The fifth version of the patch adds the ability to connect to the > X display manager (XDM) using Unix domain sockets (interface > xserver_stream_connect_xdm()). Also the fifth version splits the > whole patch into separate base policy / contrib policy patches as > required. > > The sixth version of the patch adds the ability to run the > evolution email application. > > This seventh version of the patch, improves the integration with > the evolution email application. > > Although this patch has only been tested with Apache OpenOffice > version 4, it might also work with earlier versions (in particular > version 3) or at least it can be easily adapted for the purpose. Are you still working on this? I was about to merge v6 when this appeared. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/evolution.if | 38 +++++++++++ > policy/modules/contrib/evolution.te | 5 + > policy/modules/contrib/openoffice.fc | 30 ++++++++ > policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++ > policy/modules/contrib/openoffice.te | 118 +++++++++++++++++++++++++++++++++++ > 5 files changed, 258 insertions(+) > > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if > --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100 > @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',` > > ######################################## > ## > +## Read evolution home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`evolution_read_evolution_home_files',` > + gen_require(` > + type evolution_t, evolution_home_t; > + ') > + > + read_files_pattern($1, evolution_home_t, evolution_home_t) > +') > + > +######################################## > +## > ## Connect to evolution using a unix > ## domain stream socket. > ## > @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',` > allow $1 evolution_alarm_t:dbus send_msg; > allow evolution_alarm_t $1:dbus send_msg; > ') > + > +######################################## > +## > +## Make a domain transition to the > +## evolution target domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`evolution_domtrans',` > + gen_require(` > + type evolution_t, evolution_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, evolution_exec_t, evolution_t); > +') > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te > --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100 > @@ -270,6 +270,11 @@ optional_policy(` > ') > > optional_policy(` > + ooffice_domtrans(evolution_t) > + ooffice_rw_ooffice_tmp_files(evolution_t) > +') > + > +optional_policy(` > spamassassin_exec_spamd(evolution_t) > spamassassin_domtrans_client(evolution_t) > spamassassin_domtrans_local_client(evolution_t) > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100 > @@ -0,0 +1,30 @@ > +HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) > + > +/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04 15:36:53.136278874 +0100 > @@ -0,0 +1,67 @@ > +## Openoffice suite. > + > +############################################################ > +## > +## Role access for openoffice. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## User domain for the role. > +## > +## > +# > +interface(`ooffice_role',` > + gen_require(` > + attribute_role ooffice_roles; > + type ooffice_t, ooffice_exec_t; > + ') > + > + roleattribute $1 ooffice_roles; > + > + domtrans_pattern($2, ooffice_exec_t, ooffice_t) > + > + allow $2 ooffice_t:process { ptrace signal_perms }; > + ps_process_pattern($2, ooffice_t) > +') > + > +######################################## > +## > +## Run openoffice in its own domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`ooffice_domtrans',` > + gen_require(` > + type ooffice_t, ooffice_exec_t; > + ') > + > + domtrans_pattern($1, ooffice_exec_t, ooffice_t) > +') > + > +######################################## > +## > +## Read and write temporary > +## openoffice files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ooffice_rw_ooffice_tmp_files',` > + gen_require(` > + type ooffice_tmp_t; > + ') > + > + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) > +') > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 16:05:06.872422860 +0100 > @@ -0,0 +1,118 @@ > +policy_module(openoffice, 1.0.0) > + > +############################## > +# > +# Declarations > +# > + > +## > +##

> +## Determine whether openoffice can > +## download software updates from the > +## network (application and/or > +## extensions). > +##

> +##
> +gen_tunable(openoffice_allow_update, true) > + > +attribute_role ooffice_roles; > + > +type ooffice_t; > +type ooffice_exec_t; > +userdom_user_application_domain(ooffice_t, ooffice_exec_t) > +role ooffice_roles types ooffice_t; > + > +type ooffice_home_t; > +userdom_user_home_content(ooffice_home_t) > + > +type ooffice_tmp_t; > +files_tmp_file(ooffice_tmp_t) > + > +############################## > +# > +# Openoffice local policy > +# > + > +allow ooffice_t self:process { execmem getsched signal }; > +allow ooffice_t self:shm create_shm_perms; > +allow ooffice_t self:fifo_file rw_fifo_file_perms; > +allow ooffice_t self:unix_stream_socket connectto; > + > +allow ooffice_t ooffice_home_t:dir manage_dir_perms; > +allow ooffice_t ooffice_home_t:file manage_file_perms; > +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; > +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") > + > +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) > + > +can_exec(ooffice_t, ooffice_exec_t) > + > +corecmd_exec_bin(ooffice_t) > +corecmd_exec_shell(ooffice_t) > + > +dev_read_sysfs(ooffice_t) > +dev_read_urand(ooffice_t) > + > +files_getattr_all_dirs(ooffice_t) > +files_getattr_all_files(ooffice_t) > +files_getattr_all_symlinks(ooffice_t) > +files_read_etc_files(ooffice_t) > +files_read_usr_files(ooffice_t) > + > +fs_getattr_xattr_fs(ooffice_t) > + > +miscfiles_read_fonts(ooffice_t) > +miscfiles_read_localization(ooffice_t) > + > +sysnet_dns_name_resolve(ooffice_t) > + > +userdom_dontaudit_exec_user_home_content_files(ooffice_t) > +userdom_manage_user_home_content_dirs(ooffice_t) > +userdom_manage_user_home_content_files(ooffice_t) > +userdom_manage_user_home_content_symlinks(ooffice_t) > +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) > + > +tunable_policy(`openoffice_allow_update',` > + corenet_tcp_connect_http_port(ooffice_t) > +') > + > +optional_policy(` > + cups_read_config(ooffice_t) > + cups_stream_connect(ooffice_t) > +') > + > +optional_policy(` > + dbus_all_session_bus_client(ooffice_t) > +') > + > +optional_policy(` > + evolution_domtrans(ooffice_t) > + evolution_read_evolution_home_files(ooffice_t) > +') > + > +optional_policy(` > + hostname_exec(ooffice_t) > +') > + > +optional_policy(` > + java_exec(ooffice_t) > +') > + > +optional_policy(` > + mozilla_domtrans(ooffice_t) > +') > + > +optional_policy(` > + thunderbird_domtrans(ooffice_t) > +') > + > +optional_policy(` > + xserver_read_user_iceauth(ooffice_t) > + xserver_read_user_xauth(ooffice_t) > + xserver_read_xdm_tmp_files(ooffice_t) > + xserver_stream_connect(ooffice_t) > + xserver_stream_connect_xdm(ooffice_t) > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito