From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 24 May 2017 19:40:57 -0400 Subject: [refpolicy] [PATCH v3 2/3] openoffice: minor update In-Reply-To: <1495587584.12794.0.camel@trentalancia.com> References: <1495294823.9446.2.camel@trentalancia.com> <1495294900.9946.0.camel@trentalancia.com> <07c4f80f-dd9a-2e00-1db2-f7b253ffef96@ieee.org> <1495571244.4869.9.camel@trentalancia.com> <78e32681-8fb4-87cf-545f-2bca05155729@ieee.org> <748EA39B-93C5-42FB-945D-72E8402D17A0@trentalancia.com> <1495587584.12794.0.camel@trentalancia.com> Message-ID: <468c43cd-177a-6f46-ba09-8f9b0feec81c@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/23/2017 08:59 PM, Guido Trentalancia via refpolicy wrote: > Minor update for the Apache OpenOffice(R) module: part 2/3. > > This patch introduces a few minor changes to the Apache > OpenOffice(R) module, including fixes for smoother integration > with gnome. > > It does no longer require the userdomain interface that was > previously introduced with part 1/3 (now dropped) because > it now uses an OpenOffice interface (thanks to Christopher > PeBenito for suggesting this improvement). > > This is the third version (v3). > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++ > policy/modules/contrib/openoffice.te | 15 +++++++++++++++ > 2 files changed, 41 insertions(+) > > --- a/policy/modules/contrib/openoffice.if 2017-05-23 21:34:17.449592081 +0200 > +++ b/policy/modules/contrib/openoffice.if 2017-05-24 02:51:36.619752164 +0200 > @@ -29,6 +29,10 @@ interface(`ooffice_role',` > > allow $2 ooffice_t:process { ptrace signal_perms }; > ps_process_pattern($2, ooffice_t) > + > + optional_policy(` > + ooffice_dbus_chat($2) > + ') > ') > > ######################################## > @@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',` > > rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) > ') > + > +####################################### > +##

> +## Send and receive dbus messages > +## from and to the openoffice > +## domain. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`ooffice_dbus_chat',` > + gen_require(` > + type ooffice_t; > + class dbus send_msg; > + ') > + > + allow $1 ooffice_t:dbus send_msg; > + allow ooffice_t $1:dbus send_msg; > +') > --- a/policy/modules/contrib/openoffice.te 2017-05-23 21:34:17.461592081 +0200 > +++ b/policy/modules/contrib/openoffice.te 2017-05-24 02:51:16.982752038 +0200 > @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t > > can_exec(ooffice_t, ooffice_exec_t) > > +kernel_dontaudit_read_system_state(ooffice_t) > + > corecmd_exec_bin(ooffice_t) > corecmd_exec_shell(ooffice_t) > > dev_read_sysfs(ooffice_t) > dev_read_urand(ooffice_t) > > +domain_use_interactive_fds(ooffice_t) > + > files_getattr_all_dirs(ooffice_t) > files_getattr_all_files(ooffice_t) > files_getattr_all_symlinks(ooffice_t) > @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice > sysnet_dns_name_resolve(ooffice_t) > > userdom_dontaudit_exec_user_home_content_files(ooffice_t) > +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t) > + > userdom_read_user_tmp_files(ooffice_t) > userdom_manage_user_home_content_dirs(ooffice_t) > userdom_manage_user_home_content_files(ooffice_t) > userdom_manage_user_home_content_symlinks(ooffice_t) > userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) > > +userdom_manage_user_tmp_sockets(ooffice_t) > + > +userdom_use_inherited_user_terminals(ooffice_t) > + > tunable_policy(`openoffice_allow_update',` > corenet_tcp_connect_http_port(ooffice_t) > ') > @@ -119,6 +129,11 @@ optional_policy(` > ') > > optional_policy(` > + gnome_dbus_chat_gconfd(ooffice_t) > + gnome_stream_connect_gconf(ooffice_t) > +') > + > +optional_policy(` > hostname_exec(ooffice_t) > ') Merged. -- Chris PeBenito