From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 02:45:39 +0200 Subject: [refpolicy] [PATCH v2 2/3] openoffice: minor update In-Reply-To: <78e32681-8fb4-87cf-545f-2bca05155729@ieee.org> References: <1495294823.9446.2.camel@trentalancia.com> <1495294900.9946.0.camel@trentalancia.com> <07c4f80f-dd9a-2e00-1db2-f7b253ffef96@ieee.org> <1495571244.4869.9.camel@trentalancia.com> <78e32681-8fb4-87cf-545f-2bca05155729@ieee.org> Message-ID: <748EA39B-93C5-42FB-945D-72E8402D17A0@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On the 24th of May 2017 02:37:23 CEST, Chris PeBenito wrote: >On 05/23/2017 04:27 PM, Guido Trentalancia via refpolicy wrote: >> Minor update for the Apache OpenOffice(R) module: part 2/3. >> >> This patch introduces a few minor changes to the Apache >> OpenOffice(R) module, including fixes for smoother integration >> with gnome. >> >> It does no longer require the userdomain interface that was >> previously introduced with part 1/3 (now dropped) because >> it now uses an OpenOffice interface (thanks to Christopher >> PeBenito for suggesting this improvement). >> >> This is the second version (v2). >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/openoffice.if | 22 ++++++++++++++++++++++ >> policy/modules/contrib/openoffice.te | 17 +++++++++++++++++ >> 2 files changed, 39 insertions(+) >> >> --- a/policy/modules/contrib/openoffice.if 2017-05-23 >21:34:17.449592081 +0200 >> +++ b/policy/modules/contrib/openoffice.if 2017-05-23 >22:10:07.600583291 +0200 >> @@ -86,3 +86,25 @@ interface(`ooffice_rw_tmp_files',` >> >> rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) >> ') >> + >> +####################################### >> +##

>> +## Send and receive dbus messages >> +## from and to the openoffice >> +## domain. >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +# >> +interface(`ooffice_dbus_chat',` >> + gen_require(` >> + type ooffice_t; >> + class dbus send_msg; >> + ') >> + >> + allow $1 ooffice_t:dbus send_msg; >> + allow ooffice_t $1:dbus send_msg; >> +') >> --- a/policy/modules/contrib/openoffice.te 2017-05-23 >21:34:17.461592081 +0200 >> +++ b/policy/modules/contrib/openoffice.te 2017-05-23 >22:09:20.740583482 +0200 >> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t >> >> can_exec(ooffice_t, ooffice_exec_t) >> >> +kernel_dontaudit_read_system_state(ooffice_t) >> + >> corecmd_exec_bin(ooffice_t) >> corecmd_exec_shell(ooffice_t) >> >> dev_read_sysfs(ooffice_t) >> dev_read_urand(ooffice_t) >> >> +domain_use_interactive_fds(ooffice_t) >> + >> files_getattr_all_dirs(ooffice_t) >> files_getattr_all_files(ooffice_t) >> files_getattr_all_symlinks(ooffice_t) >> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice >> sysnet_dns_name_resolve(ooffice_t) >> >> userdom_dontaudit_exec_user_home_content_files(ooffice_t) >> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t) >> + >> userdom_read_user_tmp_files(ooffice_t) >> userdom_manage_user_home_content_dirs(ooffice_t) >> userdom_manage_user_home_content_files(ooffice_t) >> userdom_manage_user_home_content_symlinks(ooffice_t) >> userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir >file lnk_file fifo_file sock_file }) >> >> +userdom_manage_user_tmp_sockets(ooffice_t) >> + >> +userdom_use_inherited_user_terminals(ooffice_t) >> + >> tunable_policy(`openoffice_allow_update',` >> corenet_tcp_connect_http_port(ooffice_t) >> ') >> @@ -111,6 +121,8 @@ optional_policy(` >> >> optional_policy(` >> dbus_all_session_bus_client(ooffice_t) >> + >> + ooffice_dbus_chat(ooffice_t) > >This results in ooffice_t doing a dbus chat to itself and that's it. >Shouldn't this access be in oofice_role() so it applies to the user >domains? Oops, yes you are right, that's a mistake, thanks for telling me, I'll fix that in next version to come soon! >> ') >> >> optional_policy(` >> @@ -119,6 +131,11 @@ optional_policy(` >> ') >> >> optional_policy(` >> + gnome_dbus_chat_gconfd(ooffice_t) >> + gnome_stream_connect_gconf(ooffice_t) >> +') >> + >> +optional_policy(` >> hostname_exec(ooffice_t) >> ') >> Regards, Guido