From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 22:27:04 +0200 Subject: [refpolicy] [PATCH 2/3] openoffice: minor update In-Reply-To: <07c4f80f-dd9a-2e00-1db2-f7b253ffef96@ieee.org> References: <1495294823.9446.2.camel@trentalancia.com> <1495294900.9946.0.camel@trentalancia.com> <07c4f80f-dd9a-2e00-1db2-f7b253ffef96@ieee.org> Message-ID: <1495571224.4869.8.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On Mon, 22/05/2017 at 19.21 -0400, Chris PeBenito wrote: > On 05/20/2017 11:41 AM, Guido Trentalancia via refpolicy wrote: > > Minor update for the Apache OpenOffice(R) module: part 2/3. > > > > This patch introduces a few minor changes to the Apache > > OpenOffice(R) module, including fixes for smoother integration > > with gnome. > > > > It requires a userdomain interface introduced with part 1/3. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/openoffice.te |???17 +++++++++++++++++ > > ?1 file changed, 17 insertions(+) > > > > --- a/policy/modules/contrib/openoffice.te 2017-04-21 > > 20:01:32.406190979 +0200 > > +++ b/policy/modules/contrib/openoffice.te 2017-05-20 > > 16:50:54.352231478 +0200 > > @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t > > > > ?can_exec(ooffice_t, ooffice_exec_t) > > > > +kernel_dontaudit_read_system_state(ooffice_t) > > + > > ?corecmd_exec_bin(ooffice_t) > > ?corecmd_exec_shell(ooffice_t) > > > > ?dev_read_sysfs(ooffice_t) > > ?dev_read_urand(ooffice_t) > > > > +domain_use_interactive_fds(ooffice_t) > > + > > ?files_getattr_all_dirs(ooffice_t) > > ?files_getattr_all_files(ooffice_t) > > ?files_getattr_all_symlinks(ooffice_t) > > @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice > > ?sysnet_dns_name_resolve(ooffice_t) > > > > ?userdom_dontaudit_exec_user_home_content_files(ooffice_t) > > +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t) > > + > > ?userdom_read_user_tmp_files(ooffice_t) > > ?userdom_manage_user_home_content_dirs(ooffice_t) > > ?userdom_manage_user_home_content_files(ooffice_t) > > ?userdom_manage_user_home_content_symlinks(ooffice_t) > > ?userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir > > file lnk_file fifo_file sock_file }) > > > > +userdom_manage_user_tmp_sockets(ooffice_t) > > This seems odd.??Why would it need to create or delete the sockets?? > There isn't a filetrans so it couldn't create sockets with the type > either. It manages sockets with the generic user tmp label. Such files are shared with gconfd_t (see part 3/3). > > +userdom_use_inherited_user_terminals(ooffice_t) > > + > > ?tunable_policy(`openoffice_allow_update',` > > ? corenet_tcp_connect_http_port(ooffice_t) > > ?') > > @@ -111,6 +121,8 @@ optional_policy(` > > > > ?optional_policy(` > > ? dbus_all_session_bus_client(ooffice_t) > > + > > + userdom_dbus_chat_all_users(ooffice_t) > > ?') > > > > ?optional_policy(` > > @@ -119,6 +131,11 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > + gnome_dbus_chat_gconfd(ooffice_t) > > + gnome_stream_connect_gconf(ooffice_t) > > +') > > + > > +optional_policy(` > > ? hostname_exec(ooffice_t) > > ?') Regards, Guido