[refpolicy] Basic policy for KDE and Konqueror

[domg472@gmail.com (Dominick Grift)]

On Thu, Aug 27, 2009 at 06:07:52PM +0200, Nicky726 wrote:
> Helo,
> 
> I managed to implement almost all of your comments to KDE and Konqueror 
> policy. Now I need to do some testing, which is where I got totaly stuck.
> 
> First to the konqueror_role(). I created this interface according to policy 
> for mozilla, but i quite don't get it, where should I place the call itself. 
> You mention userdomain policy:
> 
> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a):
> > the konqueror_run interface calles should be replaced by
> > konqueror_role() calls. These calls do not belong there but they belong
> > in the user domain policy.
> 
> But I didn't find there much xxx_role() calls. More important I didn't find 
> there any mozilla_role() which I take as a reference. When I looked through 
> refpolicy sources I managed to find mozilla_role() and other xxx_role() calls 
> in roles/unprivuser.te and other roles. So to where do these calls belong?
> 
> I am not sure, that I fully comprehend this situation concerning xxx_role() 
> calls. I had interface konqueror_run() which was called in konqueror.te. This 

The *_role template instantiate policy for the callers role. In selinux different users can have different roles and the *_role template makes it easier and more compact.

If you have different users youd have to write similar policy for easy user (unconfined,staff,user,guest,xguest) etc. with *_role you write the policy one-time and instantiate (call) that for the various users. (easier to maintain/ less policy to write)

> should now be replaced by konqueror_role() which I guess should do something 
> similar, and be called where? What is it good for? And are there more changes 
> needed so it worked? Could someone explain this more?
> 
> Now to the testing stuff. Til now I managed to test the modules against 
> unmodified Fedora targeted policy. But with konqueror_role() calls there are 
> some modifications needed. How to do it? I didn't have much luck with inserting 
> changed modules to fedora policy, nor with compling what I hope was exact copy 
> of fedora policy.
> 
> I also think, that this module should be tested against refpolicy-git 
> shouldn't it? The problem with this is, that fedora didn't even booted with 
> git refpolicy. How do you test the modules than? 
> 
> 
> Thanks for the answers,
> Ondrej Vadinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090827/dcbb23e0/attachment.bin