From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 04 Dec 2016 18:54:20 +0100 Subject: [refpolicy] [PATCH v7 2/2] Apache OpenOffice module (contrib policy part) In-Reply-To: References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <1480506047.4743.15.camel@trentalancia.net> <129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org> <1480677884.3915.7.camel@trentalancia.net> <1480860300.13582.3.camel@trentalancia.net> <1480865168.13582.18.camel@trentalancia.net> Message-ID: <754214DD-7CF2-4556-99FC-A335599B4DE2@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com You can safely merge both patches. Thanks, Guido On the 4th of December 2016 18:51:44 CET, Chris PeBenito ha wrote: >On 12/04/16 10:26, Guido Trentalancia via refpolicy wrote: >> This is a patch that I have created and tested to support Apache >> OpenOffice with its own module (contrib policy part, 2/2). >> >> The file contexts (and initial tests) are based on the default >> installation path for version 4 of the office suite. >> >> Since the second version it includes revisions from Dominick Grift. >> >> Since the third version it should correctly manage files in home >> directories and allow some other major functionality. >> >> The fourth version of the patch introduces a boolean to enable or >> disable software updates from the network (application and/or >> extensions). >> >> The fifth version of the patch adds the ability to connect to the >> X display manager (XDM) using Unix domain sockets (interface >> xserver_stream_connect_xdm()). Also the fifth version splits the >> whole patch into separate base policy / contrib policy patches as >> required. >> >> The sixth version of the patch adds the ability to run the >> evolution email application. >> >> This seventh version of the patch, improves the integration with >> the evolution email application. >> >> Although this patch has only been tested with Apache OpenOffice >> version 4, it might also work with earlier versions (in particular >> version 3) or at least it can be easily adapted for the purpose. > >Are you still working on this? I was about to merge v6 when this >appeared. > > > >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/evolution.if | 38 +++++++++++ >> policy/modules/contrib/evolution.te | 5 + >> policy/modules/contrib/openoffice.fc | 30 ++++++++ >> policy/modules/contrib/openoffice.if | 67 +++++++++++++++++++ >> policy/modules/contrib/openoffice.te | 118 >+++++++++++++++++++++++++++++++++++ >> 5 files changed, 258 insertions(+) >> >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if >refpolicy-git-25112016/policy/modules/contrib/evolution.if >> --- >refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 >16:02:48.317069925 +0100 >> +++ >refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 >16:03:37.777350810 +0100 >> @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',` >> >> ######################################## >> ## >> +## Read evolution home files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`evolution_read_evolution_home_files',` >> + gen_require(` >> + type evolution_t, evolution_home_t; >> + ') >> + >> + read_files_pattern($1, evolution_home_t, evolution_home_t) >> +') >> + >> +######################################## >> +## >> ## Connect to evolution using a unix >> ## domain stream socket. >> ## >> @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',` >> allow $1 evolution_alarm_t:dbus send_msg; >> allow evolution_alarm_t $1:dbus send_msg; >> ') >> + >> +######################################## >> +## >> +## Make a domain transition to the >> +## evolution target domain. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`evolution_domtrans',` >> + gen_require(` >> + type evolution_t, evolution_exec_t; >> + ') >> + >> + corecmd_search_bin($1) >> + domtrans_pattern($1, evolution_exec_t, evolution_t); >> +') >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te >refpolicy-git-25112016/policy/modules/contrib/evolution.te >> --- >refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 >15:48:16.164030673 +0100 >> +++ >refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 >15:48:37.116534261 +0100 >> @@ -270,6 +270,11 @@ optional_policy(` >> ') >> >> optional_policy(` >> + ooffice_domtrans(evolution_t) >> + ooffice_rw_ooffice_tmp_files(evolution_t) >> +') >> + >> +optional_policy(` >> spamassassin_exec_spamd(evolution_t) >> spamassassin_domtrans_client(evolution_t) >> spamassassin_domtrans_local_client(evolution_t) >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc >refpolicy-git-25112016/policy/modules/contrib/openoffice.fc >> --- >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 >01:00:00.000000000 +0100 >> +++ >refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 >14:34:22.734742098 +0100 >> @@ -0,0 +1,30 @@ >> >+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) >> + >> >+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> >+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if >refpolicy-git-25112016/policy/modules/contrib/openoffice.if >> --- >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 >01:00:00.000000000 +0100 >> +++ >refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-04 >15:36:53.136278874 +0100 >> @@ -0,0 +1,67 @@ >> +## Openoffice suite. >> + >> +############################################################ >> +## >> +## Role access for openoffice. >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +## >> +## >> +## User domain for the role. >> +## >> +## >> +# >> +interface(`ooffice_role',` >> + gen_require(` >> + attribute_role ooffice_roles; >> + type ooffice_t, ooffice_exec_t; >> + ') >> + >> + roleattribute $1 ooffice_roles; >> + >> + domtrans_pattern($2, ooffice_exec_t, ooffice_t) >> + >> + allow $2 ooffice_t:process { ptrace signal_perms }; >> + ps_process_pattern($2, ooffice_t) >> +') >> + >> +######################################## >> +## >> +## Run openoffice in its own domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +# >> +interface(`ooffice_domtrans',` >> + gen_require(` >> + type ooffice_t, ooffice_exec_t; >> + ') >> + >> + domtrans_pattern($1, ooffice_exec_t, ooffice_t) >> +') >> + >> +######################################## >> +## >> +## Read and write temporary >> +## openoffice files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`ooffice_rw_ooffice_tmp_files',` >> + gen_require(` >> + type ooffice_tmp_t; >> + ') >> + >> + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) >> +') >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te >refpolicy-git-25112016/policy/modules/contrib/openoffice.te >> --- >refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 >01:00:00.000000000 +0100 >> +++ >refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-04 >16:05:06.872422860 +0100 >> @@ -0,0 +1,118 @@ >> +policy_module(openoffice, 1.0.0) >> + >> +############################## >> +# >> +# Declarations >> +# >> + >> +## >> +##

>> +## Determine whether openoffice can >> +## download software updates from the >> +## network (application and/or >> +## extensions). >> +##

>> +##
>> +gen_tunable(openoffice_allow_update, true) >> + >> +attribute_role ooffice_roles; >> + >> +type ooffice_t; >> +type ooffice_exec_t; >> +userdom_user_application_domain(ooffice_t, ooffice_exec_t) >> +role ooffice_roles types ooffice_t; >> + >> +type ooffice_home_t; >> +userdom_user_home_content(ooffice_home_t) >> + >> +type ooffice_tmp_t; >> +files_tmp_file(ooffice_tmp_t) >> + >> +############################## >> +# >> +# Openoffice local policy >> +# >> + >> +allow ooffice_t self:process { execmem getsched signal }; >> +allow ooffice_t self:shm create_shm_perms; >> +allow ooffice_t self:fifo_file rw_fifo_file_perms; >> +allow ooffice_t self:unix_stream_socket connectto; >> + >> +allow ooffice_t ooffice_home_t:dir manage_dir_perms; >> +allow ooffice_t ooffice_home_t:file manage_file_perms; >> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; >> +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, >".openoffice") >> + >> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) >> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) >> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) >> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file >}) >> + >> +can_exec(ooffice_t, ooffice_exec_t) >> + >> +corecmd_exec_bin(ooffice_t) >> +corecmd_exec_shell(ooffice_t) >> + >> +dev_read_sysfs(ooffice_t) >> +dev_read_urand(ooffice_t) >> + >> +files_getattr_all_dirs(ooffice_t) >> +files_getattr_all_files(ooffice_t) >> +files_getattr_all_symlinks(ooffice_t) >> +files_read_etc_files(ooffice_t) >> +files_read_usr_files(ooffice_t) >> + >> +fs_getattr_xattr_fs(ooffice_t) >> + >> +miscfiles_read_fonts(ooffice_t) >> +miscfiles_read_localization(ooffice_t) >> + >> +sysnet_dns_name_resolve(ooffice_t) >> + >> +userdom_dontaudit_exec_user_home_content_files(ooffice_t) >> +userdom_manage_user_home_content_dirs(ooffice_t) >> +userdom_manage_user_home_content_files(ooffice_t) >> +userdom_manage_user_home_content_symlinks(ooffice_t) >> +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir >file lnk_file fifo_file sock_file }) >> + >> +tunable_policy(`openoffice_allow_update',` >> + corenet_tcp_connect_http_port(ooffice_t) >> +') >> + >> +optional_policy(` >> + cups_read_config(ooffice_t) >> + cups_stream_connect(ooffice_t) >> +') >> + >> +optional_policy(` >> + dbus_all_session_bus_client(ooffice_t) >> +') >> + >> +optional_policy(` >> + evolution_domtrans(ooffice_t) >> + evolution_read_evolution_home_files(ooffice_t) >> +') >> + >> +optional_policy(` >> + hostname_exec(ooffice_t) >> +') >> + >> +optional_policy(` >> + java_exec(ooffice_t) >> +') >> + >> +optional_policy(` >> + mozilla_domtrans(ooffice_t) >> +') >> + >> +optional_policy(` >> + thunderbird_domtrans(ooffice_t) >> +') >> + >> +optional_policy(` >> + xserver_read_user_iceauth(ooffice_t) >> + xserver_read_user_xauth(ooffice_t) >> + xserver_read_xdm_tmp_files(ooffice_t) >> + xserver_stream_connect(ooffice_t) >> + xserver_stream_connect_xdm(ooffice_t) >> +') >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>