From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 04 Dec 2016 18:54:20 +0100
Subject: [refpolicy] [PATCH v7 2/2] Apache OpenOffice module (contrib
	policy part)
In-Reply-To: <a208f9f5-134b-d64f-4a01-aca1e8daa467@ieee.org>
References: <1480113700.5692.4.camel@trentalancia.net>
	<cd596863-baf6-119b-c6d6-f5c4514fca7b@gmail.com>
	<add38373-4cca-dd58-3b3f-bc25307f544e@ieee.org>
	<f7425600-f061-a7f0-6cc0-75820552d8ce@gmail.com>
	<848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org>
	<1480506047.4743.15.camel@trentalancia.net>
	<129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org>
	<1480677884.3915.7.camel@trentalancia.net>
	<1480860300.13582.3.camel@trentalancia.net>
	<1480865168.13582.18.camel@trentalancia.net>
	<a208f9f5-134b-d64f-4a01-aca1e8daa467@ieee.org>
Message-ID: <754214DD-7CF2-4556-99FC-A335599B4DE2@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

You can safely merge both patches.

Thanks, 

Guido 

On the 4th of December 2016 18:51:44 CET, Chris PeBenito <pebenito@ieee.org> ha wrote:
>On 12/04/16 10:26, Guido Trentalancia via refpolicy wrote:
>> This is a patch that I have created and tested to support Apache
>> OpenOffice with its own module (contrib policy part, 2/2).
>>
>> The file contexts (and initial tests) are based on the default
>> installation path for version 4 of the office suite.
>>
>> Since the second version it includes revisions from Dominick Grift.
>>
>> Since the third version it should correctly manage files in home
>> directories and allow some other major functionality.
>>
>> The fourth version of the patch introduces a boolean to enable or
>> disable software updates from the network (application and/or
>> extensions).
>>
>> The fifth version of the patch adds the ability to connect to the
>> X display manager (XDM) using Unix domain sockets (interface
>> xserver_stream_connect_xdm()). Also the fifth version splits the
>> whole patch into separate base policy / contrib policy patches as
>> required.
>>
>> The sixth version of the patch adds the ability to run the
>> evolution email application.
>>
>> This seventh version of the patch, improves the integration with
>> the evolution email application.
>>
>> Although this patch has only been tested with Apache OpenOffice
>> version 4, it might also work with earlier versions (in particular
>> version 3) or at least it can be easily adapted for the purpose.
>
>Are you still working on this?  I was about to merge v6 when this
>appeared.
>
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/contrib/evolution.if  |   38 +++++++++++
>>  policy/modules/contrib/evolution.te  |    5 +
>>  policy/modules/contrib/openoffice.fc |   30 ++++++++
>>  policy/modules/contrib/openoffice.if |   67 +++++++++++++++++++
>>  policy/modules/contrib/openoffice.te |  118
>+++++++++++++++++++++++++++++++++++
>>  5 files changed, 258 insertions(+)
>>
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if
>refpolicy-git-25112016/policy/modules/contrib/evolution.if
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if	2016-12-04
>16:02:48.317069925 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/evolution.if	2016-12-04
>16:03:37.777350810 +0100
>> @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
>>
>>  ########################################
>>  ## <summary>
>> +##	Read evolution home files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`evolution_read_evolution_home_files',`
>> +	gen_require(`
>> +		type evolution_t, evolution_home_t;
>> +	')
>> +
>> +	read_files_pattern($1, evolution_home_t, evolution_home_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	Connect to evolution using a unix
>>  ##	domain stream socket.
>>  ## </summary>
>> @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
>>  	allow $1 evolution_alarm_t:dbus send_msg;
>>  	allow evolution_alarm_t $1:dbus send_msg;
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	Make a domain transition to the
>> +##	evolution target domain.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`evolution_domtrans',`
>> +	gen_require(`
>> +		type evolution_t, evolution_exec_t;
>> +	')
>> +
>> +	corecmd_search_bin($1)
>> +	domtrans_pattern($1, evolution_exec_t, evolution_t);
>> +')
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te
>refpolicy-git-25112016/policy/modules/contrib/evolution.te
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te	2016-12-04
>15:48:16.164030673 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/evolution.te	2016-12-04
>15:48:37.116534261 +0100
>> @@ -270,6 +270,11 @@ optional_policy(`
>>  ')
>>
>>  optional_policy(`
>> +	ooffice_domtrans(evolution_t)
>> +	ooffice_rw_ooffice_tmp_files(evolution_t)
>> +')
>> +
>> +optional_policy(`
>>  	spamassassin_exec_spamd(evolution_t)
>>  	spamassassin_domtrans_client(evolution_t)
>>  	spamassassin_domtrans_local_client(evolution_t)
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc
>refpolicy-git-25112016/policy/modules/contrib/openoffice.fc
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc	1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.fc	2016-12-04
>14:34:22.734742098 +0100
>> @@ -0,0 +1,30 @@
>>
>+HOME_DIR/\.openoffice(\.org)?(/.*)?	gen_context(system_u:object_r:ooffice_home_t,s0)
>> +
>>
>+/opt/openoffice(.*)?/program/cde-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/gnome-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/gnome-open-url\.bin	--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/javaldx			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/kde-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/open-url			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/pagein			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regcomp\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regmerge			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/regview			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/sbase			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/scalc			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/sdraw			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/senddoc			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/simpress			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/smath			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/soffice			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/soffice\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/spadmin			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/spadmin\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/startup\.sh		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/swriter			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/uno\.bin			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unoinfo			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unopkg			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unopkg\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/unpack_update		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>>
>+/opt/openoffice(.*)?/program/uri-encode			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if
>refpolicy-git-25112016/policy/modules/contrib/openoffice.if
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if	1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.if	2016-12-04
>15:36:53.136278874 +0100
>> @@ -0,0 +1,67 @@
>> +## <summary>Openoffice suite.</summary>
>> +
>> +############################################################
>> +## <summary>
>> +##	Role access for openoffice.
>> +## </summary>
>> +## <param name="role">
>> +##	<summary>
>> +##	Role allowed access.
>> +##	</summary>
>> +## </param>
>> +## <param name="domain">
>> +##	<summary>
>> +##	User domain for the role.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`ooffice_role',`
>> +	gen_require(`
>> +		attribute_role ooffice_roles;
>> +		type ooffice_t, ooffice_exec_t;
>> +        ')
>> +
>> +	roleattribute $1 ooffice_roles;
>> +
>> +	domtrans_pattern($2, ooffice_exec_t, ooffice_t)
>> +
>> +	allow $2 ooffice_t:process { ptrace signal_perms };
>> +	ps_process_pattern($2, ooffice_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Run openoffice in its own domain.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed to transition.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`ooffice_domtrans',`
>> +	gen_require(`
>> +		type ooffice_t, ooffice_exec_t;
>> +	')
>> +
>> +	domtrans_pattern($1, ooffice_exec_t, ooffice_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Read and write temporary
>> +##	openoffice files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`ooffice_rw_ooffice_tmp_files',`
>> +	gen_require(`
>> +		type ooffice_tmp_t;
>> +	')
>> +
>> +	rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
>> +')
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te
>refpolicy-git-25112016/policy/modules/contrib/openoffice.te
>> ---
>refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te	1970-01-01
>01:00:00.000000000 +0100
>> +++
>refpolicy-git-25112016/policy/modules/contrib/openoffice.te	2016-12-04
>16:05:06.872422860 +0100
>> @@ -0,0 +1,118 @@
>> +policy_module(openoffice, 1.0.0)
>> +
>> +##############################
>> +#
>> +# Declarations
>> +#
>> +
>> +## <desc>
>> +##	<p>
>> +##	Determine whether openoffice can
>> +##	download software updates from the
>> +##	network (application and/or
>> +##	extensions).
>> +##	</p>
>> +## </desc>
>> +gen_tunable(openoffice_allow_update, true)
>> +
>> +attribute_role ooffice_roles;
>> +
>> +type ooffice_t;
>> +type ooffice_exec_t;
>> +userdom_user_application_domain(ooffice_t, ooffice_exec_t)
>> +role ooffice_roles types ooffice_t;
>> +
>> +type ooffice_home_t;
>> +userdom_user_home_content(ooffice_home_t)
>> +
>> +type ooffice_tmp_t;
>> +files_tmp_file(ooffice_tmp_t)
>> +
>> +##############################
>> +#
>> +# Openoffice local policy
>> +#
>> +
>> +allow ooffice_t self:process { execmem getsched signal };
>> +allow ooffice_t self:shm create_shm_perms;
>> +allow ooffice_t self:fifo_file rw_fifo_file_perms;
>> +allow ooffice_t self:unix_stream_socket connectto;
>> +
>> +allow ooffice_t ooffice_home_t:dir manage_dir_perms;
>> +allow ooffice_t ooffice_home_t:file manage_file_perms;
>> +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
>> +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir,
>".openoffice")
>> +
>> +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
>> +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file
>})
>> +
>> +can_exec(ooffice_t, ooffice_exec_t)
>> +
>> +corecmd_exec_bin(ooffice_t)
>> +corecmd_exec_shell(ooffice_t)
>> +
>> +dev_read_sysfs(ooffice_t)
>> +dev_read_urand(ooffice_t)
>> +
>> +files_getattr_all_dirs(ooffice_t)
>> +files_getattr_all_files(ooffice_t)
>> +files_getattr_all_symlinks(ooffice_t)
>> +files_read_etc_files(ooffice_t)
>> +files_read_usr_files(ooffice_t)
>> +
>> +fs_getattr_xattr_fs(ooffice_t)
>> +
>> +miscfiles_read_fonts(ooffice_t)
>> +miscfiles_read_localization(ooffice_t)
>> +
>> +sysnet_dns_name_resolve(ooffice_t)
>> +
>> +userdom_dontaudit_exec_user_home_content_files(ooffice_t)
>> +userdom_manage_user_home_content_dirs(ooffice_t)
>> +userdom_manage_user_home_content_files(ooffice_t)
>> +userdom_manage_user_home_content_symlinks(ooffice_t)
>> +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir
>file lnk_file fifo_file sock_file })
>> +
>> +tunable_policy(`openoffice_allow_update',`
>> +	corenet_tcp_connect_http_port(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	cups_read_config(ooffice_t)
>> +	cups_stream_connect(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	dbus_all_session_bus_client(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	evolution_domtrans(ooffice_t)
>> +	evolution_read_evolution_home_files(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	hostname_exec(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	java_exec(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	mozilla_domtrans(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	thunderbird_domtrans(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> +	xserver_read_user_iceauth(ooffice_t)
>> +	xserver_read_user_xauth(ooffice_t)
>> +	xserver_read_xdm_tmp_files(ooffice_t)
>> +	xserver_stream_connect(ooffice_t)
>> +	xserver_stream_connect_xdm(ooffice_t)
>> +')
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>