Minor update for the Apache OpenOffice(R) module: part 1/3.
This patch introduces a new interface to allow bidirectional
dbus chat from/to the user domain (instead of only unidirectional
messaging).
The new interface is used by part 2/3.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200
+++ b/policy/modules/system/userdomain.if 2017-05-20 15:55:50.405244985 +0200
@@ -4018,6 +4018,27 @@ interface(`userdom_dbus_send_all_users',
########################################
## <summary>
+## Send and receive dbus messages
+## from and to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dbus_chat_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+ allow userdomain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read and write
## unserdomain stream.
## </summary>
Minor update for the Apache OpenOffice(R) module: part 2/3.
This patch introduces a few minor changes to the Apache
OpenOffice(R) module, including fixes for smoother integration
with gnome.
It requires a userdomain interface introduced with part 1/3.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.te | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/policy/modules/contrib/openoffice.te 2017-04-21 20:01:32.406190979 +0200
+++ b/policy/modules/contrib/openoffice.te 2017-05-20 16:50:54.352231478 +0200
@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
can_exec(ooffice_t, ooffice_exec_t)
+kernel_dontaudit_read_system_state(ooffice_t)
+
corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)
dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)
+domain_use_interactive_fds(ooffice_t)
+
files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+
userdom_read_user_tmp_files(ooffice_t)
userdom_manage_user_home_content_dirs(ooffice_t)
userdom_manage_user_home_content_files(ooffice_t)
userdom_manage_user_home_content_symlinks(ooffice_t)
userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_tmp_sockets(ooffice_t)
+
+userdom_use_inherited_user_terminals(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
@@ -111,6 +121,8 @@ optional_policy(`
optional_policy(`
dbus_all_session_bus_client(ooffice_t)
+
+ userdom_dbus_chat_all_users(ooffice_t)
')
optional_policy(`
@@ -119,6 +131,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
hostname_exec(ooffice_t)
')
Minor update for the Apache OpenOffice(R) module: part 3/3.
This patch introduces minor changes in the gnome module for
smoother integration with Apache OpenOffice(R).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.te | 7 ++++++-
policy/modules/contrib/openoffice.if | 20 ++++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
--- a/policy/modules/contrib/gnome.te 2017-04-21 20:01:32.406190979 +0200
+++ b/policy/modules/contrib/gnome.te 2017-05-20 16:41:23.878233810 +0200
@@ -98,7 +98,8 @@ kernel_read_system_state(gconfd_t)
files_read_var_lib_files(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, { dir sock_file })
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
@@ -111,6 +112,10 @@ optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
')
+optional_policy(`
+ ooffice_stream_connect(gconfd_t)
+')
+
##############################
#
# Keyring-daemon local policy
--- a/policy/modules/contrib/openoffice.if 2017-03-29 17:58:00.303386397 +0200
+++ b/policy/modules/contrib/openoffice.if 2017-05-20 16:40:46.358233963 +0200
@@ -86,3 +86,23 @@ interface(`ooffice_dontaudit_exec_tmp_fi
dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
+
+########################################
+## <summary>
+## Connect to openoffice using a
+## unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_stream_connect',`
+ gen_require(`
+ type ooffice_t, ooffice_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
+')
On 05/20/2017 11:40 AM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 1/3.
>
> This patch introduces a new interface to allow bidirectional
> dbus chat from/to the user domain (instead of only unidirectional
> messaging).
>
> The new interface is used by part 2/3.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> --- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200
> +++ b/policy/modules/system/userdomain.if 2017-05-20 15:55:50.405244985 +0200
> @@ -4018,6 +4018,27 @@ interface(`userdom_dbus_send_all_users',
>
> ########################################
> ## <summary>
> +## Send and receive dbus messages
> +## from and to all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dbus_chat_all_users',`
> + gen_require(`
> + attribute userdomain;
> + class dbus send_msg;
> + ')
> +
> + allow $1 userdomain:dbus send_msg;
> + allow userdomain $1:dbus send_msg;
> +')
Generally I feel that whichever domain is more like a service provide
the dbus chat interface. Neither side really fits that description in
this case, but since userdomain hasn't needed this access yet, I think
it makes more sense for it to go in the openoffice module. In fact, it
might make the most sense in oofice_role().
--
Chris PeBenito
On 05/20/2017 11:41 AM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 2/3.
>
> This patch introduces a few minor changes to the Apache
> OpenOffice(R) module, including fixes for smoother integration
> with gnome.
>
> It requires a userdomain interface introduced with part 1/3.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/openoffice.te | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> --- a/policy/modules/contrib/openoffice.te 2017-04-21 20:01:32.406190979 +0200
> +++ b/policy/modules/contrib/openoffice.te 2017-05-20 16:50:54.352231478 +0200
> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
>
> can_exec(ooffice_t, ooffice_exec_t)
>
> +kernel_dontaudit_read_system_state(ooffice_t)
> +
> corecmd_exec_bin(ooffice_t)
> corecmd_exec_shell(ooffice_t)
>
> dev_read_sysfs(ooffice_t)
> dev_read_urand(ooffice_t)
>
> +domain_use_interactive_fds(ooffice_t)
> +
> files_getattr_all_dirs(ooffice_t)
> files_getattr_all_files(ooffice_t)
> files_getattr_all_symlinks(ooffice_t)
> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
> sysnet_dns_name_resolve(ooffice_t)
>
> userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
> +
> userdom_read_user_tmp_files(ooffice_t)
> userdom_manage_user_home_content_dirs(ooffice_t)
> userdom_manage_user_home_content_files(ooffice_t)
> userdom_manage_user_home_content_symlinks(ooffice_t)
> userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
>
> +userdom_manage_user_tmp_sockets(ooffice_t)
This seems odd. Why would it need to create or delete the sockets?
There isn't a filetrans so it couldn't create sockets with the type either.
> +userdom_use_inherited_user_terminals(ooffice_t)
> +
> tunable_policy(`openoffice_allow_update',`
> corenet_tcp_connect_http_port(ooffice_t)
> ')
> @@ -111,6 +121,8 @@ optional_policy(`
>
> optional_policy(`
> dbus_all_session_bus_client(ooffice_t)
> +
> + userdom_dbus_chat_all_users(ooffice_t)
> ')
>
> optional_policy(`
> @@ -119,6 +131,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gnome_dbus_chat_gconfd(ooffice_t)
> + gnome_stream_connect_gconf(ooffice_t)
> +')
> +
> +optional_policy(`
> hostname_exec(ooffice_t)
> ')
--
Chris PeBenito
Following recent feedback received from Christoper PeBenito, this part
of the patchset is now dropped.
The interface has been moved to the second version (v2) of part 2/3
(openoffice module).
Part 3/3 remains unchanged.
Thanks,
Guido
On Sat, 20/05/2017 at 17.40 +0200, Guido Trentalancia via
refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 1/3.
>
> This patch introduces a new interface to allow bidirectional
> dbus chat from/to the user domain (instead of only unidirectional
> messaging).
>
> The new interface is used by part 2/3.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> ?policy/modules/system/userdomain.if |???21 +++++++++++++++++++++
> ?1 file changed, 21 insertions(+)
>
> --- a/policy/modules/system/userdomain.if 2017-04-26
> 17:47:14.081423048 +0200
> +++ b/policy/modules/system/userdomain.if 2017-05-20
> 15:55:50.405244985 +0200
> @@ -4018,6 +4018,27 @@ interface(`userdom_dbus_send_all_users',
> ?
> ?########################################
> ?## <summary>
> +## Send and receive dbus messages
> +## from and to all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dbus_chat_all_users',`
> + gen_require(`
> + attribute userdomain;
> + class dbus send_msg;
> + ')
> +
> + allow $1 userdomain:dbus send_msg;
> + allow userdomain $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ?##?????Do not audit attempts to read and write
> ?##?????unserdomain stream.
> ?## </summary>
Hello Christopher.
On Mon, 22/05/2017 at 19.21 -0400, Chris PeBenito wrote:
> On 05/20/2017 11:41 AM, Guido Trentalancia via refpolicy wrote:
> > Minor update for the Apache OpenOffice(R) module: part 2/3.
> >
> > This patch introduces a few minor changes to the Apache
> > OpenOffice(R) module, including fixes for smoother integration
> > with gnome.
> >
> > It requires a userdomain interface introduced with part 1/3.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/openoffice.te |???17 +++++++++++++++++
> > ?1 file changed, 17 insertions(+)
> >
> > --- a/policy/modules/contrib/openoffice.te 2017-04-21
> > 20:01:32.406190979 +0200
> > +++ b/policy/modules/contrib/openoffice.te 2017-05-20
> > 16:50:54.352231478 +0200
> > @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
> >
> > ?can_exec(ooffice_t, ooffice_exec_t)
> >
> > +kernel_dontaudit_read_system_state(ooffice_t)
> > +
> > ?corecmd_exec_bin(ooffice_t)
> > ?corecmd_exec_shell(ooffice_t)
> >
> > ?dev_read_sysfs(ooffice_t)
> > ?dev_read_urand(ooffice_t)
> >
> > +domain_use_interactive_fds(ooffice_t)
> > +
> > ?files_getattr_all_dirs(ooffice_t)
> > ?files_getattr_all_files(ooffice_t)
> > ?files_getattr_all_symlinks(ooffice_t)
> > @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
> > ?sysnet_dns_name_resolve(ooffice_t)
> >
> > ?userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> > +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
> > +
> > ?userdom_read_user_tmp_files(ooffice_t)
> > ?userdom_manage_user_home_content_dirs(ooffice_t)
> > ?userdom_manage_user_home_content_files(ooffice_t)
> > ?userdom_manage_user_home_content_symlinks(ooffice_t)
> > ?userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir
> > file lnk_file fifo_file sock_file })
> >
> > +userdom_manage_user_tmp_sockets(ooffice_t)
>
> This seems odd.??Why would it need to create or delete the sockets??
> There isn't a filetrans so it couldn't create sockets with the type
> either.
It manages sockets with the generic user tmp label. Such files are
shared with gconfd_t (see part 3/3).
> > +userdom_use_inherited_user_terminals(ooffice_t)
> > +
> > ?tunable_policy(`openoffice_allow_update',`
> > ? corenet_tcp_connect_http_port(ooffice_t)
> > ?')
> > @@ -111,6 +121,8 @@ optional_policy(`
> >
> > ?optional_policy(`
> > ? dbus_all_session_bus_client(ooffice_t)
> > +
> > + userdom_dbus_chat_all_users(ooffice_t)
> > ?')
> >
> > ?optional_policy(`
> > @@ -119,6 +131,11 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > + gnome_dbus_chat_gconfd(ooffice_t)
> > + gnome_stream_connect_gconf(ooffice_t)
> > +')
> > +
> > +optional_policy(`
> > ? hostname_exec(ooffice_t)
> > ?')
Regards,
Guido
Minor update for the Apache OpenOffice(R) module: part 2/3.
This patch introduces a few minor changes to the Apache
OpenOffice(R) module, including fixes for smoother integration
with gnome.
It does no longer require the userdomain interface that was
previously introduced with part 1/3 (now dropped) because
it now uses an OpenOffice interface (thanks to Christopher
PeBenito for suggesting this improvement).
This is the second version (v2).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.if | 22 ++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 17 +++++++++++++++++
2 files changed, 39 insertions(+)
--- a/policy/modules/contrib/openoffice.if 2017-05-23 21:34:17.449592081 +0200
+++ b/policy/modules/contrib/openoffice.if 2017-05-23 22:10:07.600583291 +0200
@@ -86,3 +86,25 @@ interface(`ooffice_rw_tmp_files',`
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
--- a/policy/modules/contrib/openoffice.te 2017-05-23 21:34:17.461592081 +0200
+++ b/policy/modules/contrib/openoffice.te 2017-05-23 22:09:20.740583482 +0200
@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
can_exec(ooffice_t, ooffice_exec_t)
+kernel_dontaudit_read_system_state(ooffice_t)
+
corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)
dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)
+domain_use_interactive_fds(ooffice_t)
+
files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+
userdom_read_user_tmp_files(ooffice_t)
userdom_manage_user_home_content_dirs(ooffice_t)
userdom_manage_user_home_content_files(ooffice_t)
userdom_manage_user_home_content_symlinks(ooffice_t)
userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_tmp_sockets(ooffice_t)
+
+userdom_use_inherited_user_terminals(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
@@ -111,6 +121,8 @@ optional_policy(`
optional_policy(`
dbus_all_session_bus_client(ooffice_t)
+
+ ooffice_dbus_chat(ooffice_t)
')
optional_policy(`
@@ -119,6 +131,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
hostname_exec(ooffice_t)
')
On 05/23/2017 04:27 PM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 2/3.
>
> This patch introduces a few minor changes to the Apache
> OpenOffice(R) module, including fixes for smoother integration
> with gnome.
>
> It does no longer require the userdomain interface that was
> previously introduced with part 1/3 (now dropped) because
> it now uses an OpenOffice interface (thanks to Christopher
> PeBenito for suggesting this improvement).
>
> This is the second version (v2).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/openoffice.if | 22 ++++++++++++++++++++++
> policy/modules/contrib/openoffice.te | 17 +++++++++++++++++
> 2 files changed, 39 insertions(+)
>
> --- a/policy/modules/contrib/openoffice.if 2017-05-23 21:34:17.449592081 +0200
> +++ b/policy/modules/contrib/openoffice.if 2017-05-23 22:10:07.600583291 +0200
> @@ -86,3 +86,25 @@ interface(`ooffice_rw_tmp_files',`
>
> rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Send and receive dbus messages
> +## from and to the openoffice
> +## domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_dbus_chat',`
> + gen_require(`
> + type ooffice_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ooffice_t:dbus send_msg;
> + allow ooffice_t $1:dbus send_msg;
> +')
> --- a/policy/modules/contrib/openoffice.te 2017-05-23 21:34:17.461592081 +0200
> +++ b/policy/modules/contrib/openoffice.te 2017-05-23 22:09:20.740583482 +0200
> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
>
> can_exec(ooffice_t, ooffice_exec_t)
>
> +kernel_dontaudit_read_system_state(ooffice_t)
> +
> corecmd_exec_bin(ooffice_t)
> corecmd_exec_shell(ooffice_t)
>
> dev_read_sysfs(ooffice_t)
> dev_read_urand(ooffice_t)
>
> +domain_use_interactive_fds(ooffice_t)
> +
> files_getattr_all_dirs(ooffice_t)
> files_getattr_all_files(ooffice_t)
> files_getattr_all_symlinks(ooffice_t)
> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
> sysnet_dns_name_resolve(ooffice_t)
>
> userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
> +
> userdom_read_user_tmp_files(ooffice_t)
> userdom_manage_user_home_content_dirs(ooffice_t)
> userdom_manage_user_home_content_files(ooffice_t)
> userdom_manage_user_home_content_symlinks(ooffice_t)
> userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
>
> +userdom_manage_user_tmp_sockets(ooffice_t)
> +
> +userdom_use_inherited_user_terminals(ooffice_t)
> +
> tunable_policy(`openoffice_allow_update',`
> corenet_tcp_connect_http_port(ooffice_t)
> ')
> @@ -111,6 +121,8 @@ optional_policy(`
>
> optional_policy(`
> dbus_all_session_bus_client(ooffice_t)
> +
> + ooffice_dbus_chat(ooffice_t)
This results in ooffice_t doing a dbus chat to itself and that's it.
Shouldn't this access be in oofice_role() so it applies to the user domains?
> ')
>
> optional_policy(`
> @@ -119,6 +131,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gnome_dbus_chat_gconfd(ooffice_t)
> + gnome_stream_connect_gconf(ooffice_t)
> +')
> +
> +optional_policy(`
> hostname_exec(ooffice_t)
> ')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On the 24th of May 2017 02:37:23 CEST, Chris PeBenito <[email protected]> wrote:
>On 05/23/2017 04:27 PM, Guido Trentalancia via refpolicy wrote:
>> Minor update for the Apache OpenOffice(R) module: part 2/3.
>>
>> This patch introduces a few minor changes to the Apache
>> OpenOffice(R) module, including fixes for smoother integration
>> with gnome.
>>
>> It does no longer require the userdomain interface that was
>> previously introduced with part 1/3 (now dropped) because
>> it now uses an OpenOffice interface (thanks to Christopher
>> PeBenito for suggesting this improvement).
>>
>> This is the second version (v2).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/openoffice.if | 22 ++++++++++++++++++++++
>> policy/modules/contrib/openoffice.te | 17 +++++++++++++++++
>> 2 files changed, 39 insertions(+)
>>
>> --- a/policy/modules/contrib/openoffice.if 2017-05-23
>21:34:17.449592081 +0200
>> +++ b/policy/modules/contrib/openoffice.if 2017-05-23
>22:10:07.600583291 +0200
>> @@ -86,3 +86,25 @@ interface(`ooffice_rw_tmp_files',`
>>
>> rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
>> ')
>> +
>> +#######################################
>> +## <summary>
>> +## Send and receive dbus messages
>> +## from and to the openoffice
>> +## domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`ooffice_dbus_chat',`
>> + gen_require(`
>> + type ooffice_t;
>> + class dbus send_msg;
>> + ')
>> +
>> + allow $1 ooffice_t:dbus send_msg;
>> + allow ooffice_t $1:dbus send_msg;
>> +')
>> --- a/policy/modules/contrib/openoffice.te 2017-05-23
>21:34:17.461592081 +0200
>> +++ b/policy/modules/contrib/openoffice.te 2017-05-23
>22:09:20.740583482 +0200
>> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
>>
>> can_exec(ooffice_t, ooffice_exec_t)
>>
>> +kernel_dontaudit_read_system_state(ooffice_t)
>> +
>> corecmd_exec_bin(ooffice_t)
>> corecmd_exec_shell(ooffice_t)
>>
>> dev_read_sysfs(ooffice_t)
>> dev_read_urand(ooffice_t)
>>
>> +domain_use_interactive_fds(ooffice_t)
>> +
>> files_getattr_all_dirs(ooffice_t)
>> files_getattr_all_files(ooffice_t)
>> files_getattr_all_symlinks(ooffice_t)
>> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
>> sysnet_dns_name_resolve(ooffice_t)
>>
>> userdom_dontaudit_exec_user_home_content_files(ooffice_t)
>> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
>> +
>> userdom_read_user_tmp_files(ooffice_t)
>> userdom_manage_user_home_content_dirs(ooffice_t)
>> userdom_manage_user_home_content_files(ooffice_t)
>> userdom_manage_user_home_content_symlinks(ooffice_t)
>> userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir
>file lnk_file fifo_file sock_file })
>>
>> +userdom_manage_user_tmp_sockets(ooffice_t)
>> +
>> +userdom_use_inherited_user_terminals(ooffice_t)
>> +
>> tunable_policy(`openoffice_allow_update',`
>> corenet_tcp_connect_http_port(ooffice_t)
>> ')
>> @@ -111,6 +121,8 @@ optional_policy(`
>>
>> optional_policy(`
>> dbus_all_session_bus_client(ooffice_t)
>> +
>> + ooffice_dbus_chat(ooffice_t)
>
>This results in ooffice_t doing a dbus chat to itself and that's it.
>Shouldn't this access be in oofice_role() so it applies to the user
>domains?
Oops, yes you are right, that's a mistake, thanks for telling me, I'll fix that in next version to come soon!
>> ')
>>
>> optional_policy(`
>> @@ -119,6 +131,11 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + gnome_dbus_chat_gconfd(ooffice_t)
>> + gnome_stream_connect_gconf(ooffice_t)
>> +')
>> +
>> +optional_policy(`
>> hostname_exec(ooffice_t)
>> ')
>>
Regards,
Guido
Minor update for the Apache OpenOffice(R) module: part 2/3.
This patch introduces a few minor changes to the Apache
OpenOffice(R) module, including fixes for smoother integration
with gnome.
It does no longer require the userdomain interface that was
previously introduced with part 1/3 (now dropped) because
it now uses an OpenOffice interface (thanks to Christopher
PeBenito for suggesting this improvement).
This is the third version (v3).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 15 +++++++++++++++
2 files changed, 41 insertions(+)
--- a/policy/modules/contrib/openoffice.if 2017-05-23 21:34:17.449592081 +0200
+++ b/policy/modules/contrib/openoffice.if 2017-05-24 02:51:36.619752164 +0200
@@ -29,6 +29,10 @@ interface(`ooffice_role',`
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
+
+ optional_policy(`
+ ooffice_dbus_chat($2)
+ ')
')
########################################
@@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
--- a/policy/modules/contrib/openoffice.te 2017-05-23 21:34:17.461592081 +0200
+++ b/policy/modules/contrib/openoffice.te 2017-05-24 02:51:16.982752038 +0200
@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
can_exec(ooffice_t, ooffice_exec_t)
+kernel_dontaudit_read_system_state(ooffice_t)
+
corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)
dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)
+domain_use_interactive_fds(ooffice_t)
+
files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+
userdom_read_user_tmp_files(ooffice_t)
userdom_manage_user_home_content_dirs(ooffice_t)
userdom_manage_user_home_content_files(ooffice_t)
userdom_manage_user_home_content_symlinks(ooffice_t)
userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_tmp_sockets(ooffice_t)
+
+userdom_use_inherited_user_terminals(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
@@ -119,6 +129,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
hostname_exec(ooffice_t)
')
On 05/23/2017 08:59 PM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 2/3.
>
> This patch introduces a few minor changes to the Apache
> OpenOffice(R) module, including fixes for smoother integration
> with gnome.
>
> It does no longer require the userdomain interface that was
> previously introduced with part 1/3 (now dropped) because
> it now uses an OpenOffice interface (thanks to Christopher
> PeBenito for suggesting this improvement).
>
> This is the third version (v3).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++
> policy/modules/contrib/openoffice.te | 15 +++++++++++++++
> 2 files changed, 41 insertions(+)
>
> --- a/policy/modules/contrib/openoffice.if 2017-05-23 21:34:17.449592081 +0200
> +++ b/policy/modules/contrib/openoffice.if 2017-05-24 02:51:36.619752164 +0200
> @@ -29,6 +29,10 @@ interface(`ooffice_role',`
>
> allow $2 ooffice_t:process { ptrace signal_perms };
> ps_process_pattern($2, ooffice_t)
> +
> + optional_policy(`
> + ooffice_dbus_chat($2)
> + ')
> ')
>
> ########################################
> @@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`
>
> rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Send and receive dbus messages
> +## from and to the openoffice
> +## domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_dbus_chat',`
> + gen_require(`
> + type ooffice_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ooffice_t:dbus send_msg;
> + allow ooffice_t $1:dbus send_msg;
> +')
> --- a/policy/modules/contrib/openoffice.te 2017-05-23 21:34:17.461592081 +0200
> +++ b/policy/modules/contrib/openoffice.te 2017-05-24 02:51:16.982752038 +0200
> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
>
> can_exec(ooffice_t, ooffice_exec_t)
>
> +kernel_dontaudit_read_system_state(ooffice_t)
> +
> corecmd_exec_bin(ooffice_t)
> corecmd_exec_shell(ooffice_t)
>
> dev_read_sysfs(ooffice_t)
> dev_read_urand(ooffice_t)
>
> +domain_use_interactive_fds(ooffice_t)
> +
> files_getattr_all_dirs(ooffice_t)
> files_getattr_all_files(ooffice_t)
> files_getattr_all_symlinks(ooffice_t)
> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
> sysnet_dns_name_resolve(ooffice_t)
>
> userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
> +
> userdom_read_user_tmp_files(ooffice_t)
> userdom_manage_user_home_content_dirs(ooffice_t)
> userdom_manage_user_home_content_files(ooffice_t)
> userdom_manage_user_home_content_symlinks(ooffice_t)
> userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
>
> +userdom_manage_user_tmp_sockets(ooffice_t)
> +
> +userdom_use_inherited_user_terminals(ooffice_t)
> +
> tunable_policy(`openoffice_allow_update',`
> corenet_tcp_connect_http_port(ooffice_t)
> ')
> @@ -119,6 +129,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gnome_dbus_chat_gconfd(ooffice_t)
> + gnome_stream_connect_gconf(ooffice_t)
> +')
> +
> +optional_policy(`
> hostname_exec(ooffice_t)
> ')
Merged.
--
Chris PeBenito
On 05/20/2017 11:42 AM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 3/3.
>
> This patch introduces minor changes in the gnome module for
> smoother integration with Apache OpenOffice(R).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gnome.te | 7 ++++++-
> policy/modules/contrib/openoffice.if | 20 ++++++++++++++++++++
> 2 files changed, 26 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/contrib/gnome.te 2017-04-21 20:01:32.406190979 +0200
> +++ b/policy/modules/contrib/gnome.te 2017-05-20 16:41:23.878233810 +0200
> @@ -98,7 +98,8 @@ kernel_read_system_state(gconfd_t)
> files_read_var_lib_files(gconfd_t)
>
> userdom_manage_user_tmp_dirs(gconfd_t)
> -userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> +userdom_manage_user_tmp_sockets(gconfd_t)
> +userdom_tmp_filetrans_user_tmp(gconfd_t, { dir sock_file })
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>
> optional_policy(`
> @@ -111,6 +112,10 @@ optional_policy(`
> nscd_dontaudit_search_pid(gconfd_t)
> ')
>
> +optional_policy(`
> + ooffice_stream_connect(gconfd_t)
> +')
> +
> ##############################
> #
> # Keyring-daemon local policy
> --- a/policy/modules/contrib/openoffice.if 2017-03-29 17:58:00.303386397 +0200
> +++ b/policy/modules/contrib/openoffice.if 2017-05-20 16:40:46.358233963 +0200
> @@ -86,3 +86,23 @@ interface(`ooffice_dontaudit_exec_tmp_fi
>
> dontaudit $1 ooffice_tmp_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Connect to openoffice using a
> +## unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ooffice_stream_connect',`
> + gen_require(`
> + type ooffice_t, ooffice_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
> +')
Merged.
--
Chris PeBenito