[refpolicy] Basic policy for KDE and Konqueror, 2nd look

[refpolicy] Basic policy for KDE and Konqueror, 2nd look

[Nicky726]

Hello,

this is reworked version of KDE and Konqueror policies. Thanks to everyone, 
who comented and especially to Dominick Grift. 

Goals are to provide basics for confining of more KDE applications and to 
confine Konqueror web-browser as a network accessing application. This version 
aims to be more according the reference policy standards. Results are 
enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.

Please comment, so that I can make the policy better.


Thanks for your time,
Ondrej Vadinsky

-- 
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.

		(Joni Mitchell)
-------------- next part --------------
# Qt config file
HOME_DIR/\.config/Trolltech\.conf		--	gen_context(system_u:object_r:kde_shared_home_t,s0)
# KDE home
HOME_DIR/\.kde(/.*)?		gen_context(system_u:object_r:kde_shared_home_t,s0)

-------------- next part --------------
## <summary>Basic kde confinement</summary>

########################################
## <summary>
##	Search kde_shared_home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kde_search_home_dir',`
	gen_require(`
		type kde_shared_home_t;
	')

	allow $1 kde_shared_home_t:dir search_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Read kde_shared_home files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kde_read_home_files',`
	gen_require(`
		type kde_shared_home_t;
	')

	allow $1 kde_shared_home_t:file r_file_perms;
	allow $1 kde_shared_home_t:dir list_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Create, read, write, and delete
##	kde_shared_home files links and dirs
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kde_manage_home_files',`
	gen_require(`
		type kde_shared_home_t;
	')

	allow $1 kde_shared_home_t:file manage_file_perms;
	allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
	allow $1 kde_shared_home_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Manage kde_shared_home files links and dirs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kde_manage_home',`
	gen_require(`
		type kde_shared_home_t;
	')

         manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
         manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
         manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
')


########################################
## <summary>
##	Create file, dir, links of specified type in 
##  kde_shared_home_t dirs with type transition
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="private type">
##	<summary>
##	Private type of created object
##	</summary>
## </param>
#
interface(`files_kde_home_filetrans',`
	gen_require(`
		type kde_shared_home_t;
	')

         type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;

')
-------------- next part --------------

policy_module(kde,0.0.3) 

########################################
#
# Declarations
#
type kde_shared_tmp_t;
files_tmp_file(kde_shared_tmp_t)

type kde_shared_home_t;
userdom_user_home_content(kde_shared_home_t)
-------------- next part --------------

/usr/bin/konqueror	--	gen_context(system_u:object_r:konqueror_exec_t,s0)

HOME_DIR/\.kde/share/config/konq_history		--	gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/konqsidebartng.rc		--	gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/config/kuriikwsfilterrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/apps/konqueror(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)

HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)


-------------- next part --------------
## <summary>Policy for Konqueror</summary>

########################################
## <summary>
##	Role access for konqueror
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`konqueror_role',`
	gen_require(`
		type konqueror_t, konqueror_exec_t, konqueror_home_t;
		class dbus acquire_svc;
	')

	role $1 types konqueror_t;

	#domain_auto_trans($2, konqueror_exec_t, konqueror_t)
	konqueror_domtrans($2)
	# Unrestricted inheritance from the caller.
	allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
	allow konqueror_t $2:fd use;
	allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
	allow konqueror_t $2:unix_stream_socket connectto;

	# Allow konqueror to acquire dbus service from user domain and chat with konqueror
	# This is workaround for not yet implemented interface in dbus
	allow konqueror_t $2:dbus acquire_svc;
	konqueror_dbus_chat($2)

	# Allow the user domain to signal/ps.
	ps_process_pattern($2, konqueror_t)
	allow $2 konqueror_t:process signal_perms;

	allow $2 konqueror_t:fd use;
	allow $2 konqueror_t:shm { associate getattr };
	allow $2 konqueror_t:shm { unix_read unix_write };
	allow $2 konqueror_t:unix_stream_socket connectto;

	# X access, Home files
	manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
	manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
	manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
	relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
')

########################################
## <summary>
##	Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
	gen_require(`
		type konqueror_t;
                type konqueror_exec_t;
	')

	domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')


########################################
## <summary>
##	Search konqueror rw directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_search_home_dir',`
	gen_require(`
		type konqueror_home_t;
	')

	allow $1 konqueror_home_t:dir search_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Read konqueror rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_read_home_files',`
	gen_require(`
		type konqueror_home_t;
	')

	allow $1 konqueror_home_t:file r_file_perms;
	allow $1 konqueror_home_t:dir list_dir_perms;
	files_search_rw($1)
')

########################################
## <summary>
##	Create, read, write, and delete
##	konqueror rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_manage_home_files',`
	gen_require(`
		type konqueror_home_t;
	')

	allow $1 konqueror_home_t:file manage_file_perms;
	allow $1 konqueror_home_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Manage konqueror rw files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_manage_home',`
	gen_require(`
		type konqueror_home_t;
	')

         manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
         manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
         manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
')

########################################
## <summary>
##	Send and receive messages from
##	konqueror over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`konqueror_dbus_chat',`
	gen_require(`
		type konqueror_t;
		class dbus send_msg;
	')

	allow $1 konqueror_t:dbus send_msg;
	allow konqueror_t $1:dbus send_msg;
')

########################################
## <summary>
##	All of the rules required to administrate 
##	an konqueror environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the konqueror domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the user terminal.
##	</summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
	gen_require(`
		type konqueror_t;
	')

	allow $1 konqueror_t:process { ptrace signal_perms getattr };
	read_files_pattern($1, konqueror_t, konqueror_t)
	        

	kde_manage_tmp($1)

	konqueror_manage_home($1)

')
-------------- next part --------------

policy_module(konqueror,0.2)

########################################
#
# Konqueror personal declarations
#

## <desc>
## <p>
## Allow Konqueror to run bin_t because of drkonqi
## </p>
## </desc>

gen_tunable(konqueror_exec_bin_t, false)

type konqueror_t;
type konqueror_exec_t;
application_domain(konqueror_t, konqueror_exec_t)
ubac_constrained(konqueror_t)

type konqueror_home_t;
userdom_user_home_content(konqueror_home_t)

type konqueror_tmp_t;
files_tmp_file(konqueror_tmp_t)

########################################
#
# Konqueror local policy
#

# Internal communication using fifo and dbus
allow konqueror_t self:fifo_file rw_file_perms;
allow konqueror_t self:dbus send_msg;
allow konqueror_t self:process getsched; # get self process priority
allow konqueror_t self:tcp_socket create_stream_socket_perms;

# Temp acces for konqueror
manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)

# To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file }) 
# Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
# it'll have the right context
# For now grant minimal necessary access to usr temp
userdom_read_user_tmp_files(konqueror_t)

# Full access to konqueror home
konqueror_manage_home(konqueror_t)

# Access to ports
corenet_all_recvfrom_unlabeled(konqueror_t)

corenet_tcp_sendrecv_all_if(konqueror_t)
corenet_tcp_sendrecv_all_nodes(konqueror_t)
corenet_tcp_sendrecv_all_ports(konqueror_t)

corenet_tcp_connect_ftp_data_port(konqueror_t)
corenet_tcp_connect_ftp_port(konqueror_t)

corenet_tcp_connect_http_port(konqueror_t)
corenet_tcp_connect_http_cache_port(konqueror_t)

dev_read_urand(konqueror_t) #/dev/urandom

files_read_etc_files(konqueror_t)
files_read_usr_files(konqueror_t) #/usr

fs_getattr_xattr_fs(konqueror_t) # extended atributes support

kernel_read_system_state(konqueror_t) #/proc

# Use shared libs
libs_use_ld_so(konqueror_t)
libs_use_shared_libs(konqueror_t)

# Read localization and fonts
miscfiles_read_localization(konqueror_t)
miscfiles_read_fonts(konqueror_t) 

sysnet_dns_name_resolve(konqueror_t)

userdom_use_user_terminals(konqueror_t) #run from terminal

xserver_stream_connect(konqueror_t) #connect to xserver
xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver

# Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
# And if user wishes, it could be allowed
corecmd_dontaudit_getattr_bin_files(konqueror_t)
corecmd_dontaudit_exec_all_executables(konqueror_t)
tunable_policy(`konqueror_exec_bin_t',`
	corecmd_getattr_bin_files(konqueror_t)
	corecmd_exec_bin(konqueror_t)
')

# Access to kde_shared_home_t, should be reduced in future
# Transition so that konqueror_home_files in kde_shared_home_t dir 
# wouldn't switch to parent directory type 
optional_policy(`
	kde_manage_home_files(konqueror_t)
	files_kde_home_filetrans(konqueror_t, konqueror_home_t)	
')

# For testing purpouses only!
# Should be in userdom.if
gen_require(`
               type unconfined_t;
               role unconfined_r;
       ')

konqueror_role(unconfined_r, unconfined_t)

[refpolicy] Basic policy for KDE and Konqueror, 2nd look

[Dominick Grift]

On Tue, Sep 08, 2009 at 12:54:01PM +0200, Nicky726 wrote:

comments inline
> Hello,
> 
> this is reworked version of KDE and Konqueror policies. Thanks to everyone, 
> who comented and especially to Dominick Grift. 
> 
> Goals are to provide basics for confining of more KDE applications and to 
> confine Konqueror web-browser as a network accessing application. This version 
> aims to be more according the reference policy standards. Results are 
> enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.
> 
> Please comment, so that I can make the policy better.
> 
> 
> Thanks for your time,
> Ondrej Vadinsky
> 
> -- 
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
> 
> 		(Joni Mitchell)

> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf		--	gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)?		gen_context(system_u:object_r:kde_shared_home_t,s0)
> 

> ## <summary>Basic kde confinement</summary>
> 
> ########################################
> ## <summary>
> ##	Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:dir search_dir_perms;
> 	files_search_rw($1)
one needs to search $home to find kde_shared_home_t:
userdom_search_user_home_dirs($1)

> ')
> 
> ########################################
> ## <summary>
> ##	Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:file r_file_perms;
> 	allow $1 kde_shared_home_t:dir list_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Create, read, write, and delete
> ##	kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:file manage_file_perms;
> 	allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> 	allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
>          manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
>          manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
>          manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
> ')
> 
> 
> ########################################
> ## <summary>
> ##	Create file, dir, links of specified type in 
> ##  kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access
> ##	</summary>
> ## </param>
> ## <param name="private type">
> ##	<summary>
> ##	Private type of created object
> ##	</summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
>          type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
> 
> ')
This is a bad idea. processes should not type transition to type that they do not own.
use manage_files_pattern instead. 
> 
> policy_module(kde,0.0.3) 
> 
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)

> 
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)

> 
> /usr/bin/konqueror	--	gen_context(system_u:object_r:konqueror_exec_t,s0)
> 
> HOME_DIR/\.kde/share/config/konq_history		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konqsidebartng.rc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/konqueror(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> 

> ## <summary>Policy for Konqueror</summary>
> 
> ########################################
> ## <summary>
> ##	Role access for konqueror
> ## </summary>
> ## <param name="role">
> ##	<summary>
> ##	Role allowed access
> ##	</summary>
> ## </param>
> ## <param name="domain">
> ##	<summary>
> ##	User domain for the role
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_role',`
> 	gen_require(`
> 		type konqueror_t, konqueror_exec_t, konqueror_home_t;
> 		class dbus acquire_svc;
put the dbus class in a optional_policy block so that your policy doesnt fail if there is no dbus policy installed
 	')
> 
> 	role $1 types konqueror_t;
> 
> 	#domain_auto_trans($2, konqueror_exec_t, konqueror_t)
> 	konqueror_domtrans($2)
> 	# Unrestricted inheritance from the caller.
> 	allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
This can probably be dontaudited
> 	allow konqueror_t $2:fd use;
> 	allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
signal_perms
> 	allow konqueror_t $2:unix_stream_socket connectto;
use userdom_stream_connect instead

> 
> 	# Allow konqueror to acquire dbus service from user domain and chat with konqueror
> 	# This is workaround for not yet implemented interface in dbus
> 	allow konqueror_t $2:dbus acquire_svc;
> 	konqueror_dbus_chat($2)
dbus is optional_policy

> 
> 	# Allow the user domain to signal/ps.
> 	ps_process_pattern($2, konqueror_t)
> 	allow $2 konqueror_t:process signal_perms;
> 
> 	allow $2 konqueror_t:fd use;
> 	allow $2 konqueror_t:shm { associate getattr };
> 	allow $2 konqueror_t:shm { unix_read unix_write };
> 	allow $2 konqueror_t:unix_stream_socket connectto;
> 
> 	# X access, Home files
> 	manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> 	manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> ')
> 
> ########################################
> ## <summary>
> ##	Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ##	Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> 	gen_require(`
> 		type konqueror_t;
>                 type konqueror_exec_t;
> 	')
> 
> 	domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
> 
> 
> ########################################
> ## <summary>
> ##	Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:dir search_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:file r_file_perms;
> 	allow $1 konqueror_home_t:dir list_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Create, read, write, and delete
> ##	konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:file manage_file_perms;
> 	allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
> 

> ########################################
> ## <summary>
> ##	Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
>          manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
>          manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
>          manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Send and receive messages from
> ##	konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> 	gen_require(`
> 		type konqueror_t;
> 		class dbus send_msg;
> 	')
> 
> 	allow $1 konqueror_t:dbus send_msg;
> 	allow konqueror_t $1:dbus send_msg;
> ')
> 
> ########################################
> ## <summary>
> ##	All of the rules required to administrate 
> ##	an konqueror environment
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> ## <param name="role">
> ##	<summary>
> ##	The role to be allowed to manage the konqueror domain.
> ##	</summary>
> ## </param>
> ## <param name="terminal">
> ##	<summary>
> ##	The type of the user terminal.
> ##	</summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> 	gen_require(`
> 		type konqueror_t;
> 	')
> 
> 	allow $1 konqueror_t:process { ptrace signal_perms getattr };
> 	read_files_pattern($1, konqueror_t, konqueror_t)
> 	        
> 
> 	kde_manage_tmp($1)
> 
> 	konqueror_manage_home($1)
> 
> ')

> 
> policy_module(konqueror,0.2)
> 
> ########################################
> #
> # Konqueror personal declarations
> #
> 
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
> 
> gen_tunable(konqueror_exec_bin_t, false)
> 
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
> 
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
> 
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
ubac_constrained
> 
> ########################################
> #
> # Konqueror local policy
> #
> 
> # Internal communication using fifo and dbus
> allow konqueror_t self:fifo_file rw_file_perms;
> allow konqueror_t self:dbus send_msg;
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
> 
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> 
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file }) 
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context
> # For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
> 
> # Full access to konqueror home
> konqueror_manage_home(konqueror_t)
> 
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
> 
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
> 
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
> 
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
> 
> dev_read_urand(konqueror_t) #/dev/urandom
> 
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
> 
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
> 
> kernel_read_system_state(konqueror_t) #/proc
> 
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
> 
> # Read localization and fonts
> miscfiles_read_localization(konqueror_t)
> miscfiles_read_fonts(konqueror_t) 
> 
> sysnet_dns_name_resolve(konqueror_t)
> 
> userdom_use_user_terminals(konqueror_t) #run from terminal
> 
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
> 
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> # And if user wishes, it could be allowed
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> tunable_policy(`konqueror_exec_bin_t',`
> 	corecmd_getattr_bin_files(konqueror_t)
	getattr is included in corecmd_exec_bin so can probably be removed
> 	corecmd_exec_bin(konqueror_t)
> ')
> 
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir 
> # wouldn't switch to parent directory type 
> optional_policy(`
> 	kde_manage_home_files(konqueror_t)
> 	files_kde_home_filetrans(konqueror_t, konqueror_home_t)	
use manage_file_pattern instead
> ')
> 
> # For testing purpouses only!
> # Should be in userdom.if
> gen_require(`
>                type unconfined_t;
>                role unconfined_r;
>        ')
> 
> konqueror_role(unconfined_r, unconfined_t)

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/4e1ea187/attachment-0001.bin 

[refpolicy] Basic policy for KDE and Konqueror, 2nd look

[Nicky 726]

Hello,

Dominick Grift wrote:
>> ########################################
>> ## <summary>
>> ## ? ?Create file, dir, links of specified type in
>> ## ?kde_shared_home_t dirs with type transition
>> ## </summary>
>> ## <param name="domain">
>> ## ? ?<summary>
>> ## ? ?Domain allowed access
>> ## ? ?</summary>
>> ## </param>
>> ## <param name="private type">
>> ## ? ?<summary>
>> ## ? ?Private type of created object
>> ## ? ?</summary>
>> ## </param>
>> #
>> interface(`files_kde_home_filetrans',`
>> ? ? ? gen_require(`
>> ? ? ? ? ? ? ? type kde_shared_home_t;
>> ? ? ? ')
>>
>> ? ? ? ? ?type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
>>
>> ')
> This is a bad idea. processes should not type transition to type that they do not own.
> use manage_files_pattern instead.
>>

This is because of konqueror config files in directory
~/.kde/share/config/. The directory has type kde_shared_home_t and
config files konqueror_home_t. Now, when theese files are rewritten,
they switch to directory type kde_shared_home_t without this type
transition. This is unwanted, as they should hold their own type
konqueror_home_t. I tried to keep the functionality with
manage_files_pattern, but I was unsuccecful. When I think of it more,
I don't agree that process is type transitioning to type that it
doesn't own. As it is called by process konqueror_t and the files
switch to type konqueror_home_t. But it can probably be called with
whatever type one wants, though it is not in my policy, so I think it
is not an issue, or is it?

Thanks for your time,
Ondrej Vadinsky

-- 
"Don't it always seem to go
That you don't know what you've got
Till it's gone."

                                         (Joni Mitchell)

[refpolicy] Basic policy for KDE and Konqueror, 2nd look

[Dominick Grift]

On Thu, Sep 10, 2009 at 03:12:59PM +0200, Nicky 726 wrote:
> Hello,
> 
> Dominick Grift wrote:
> >> ########################################
> >> ## <summary>
> >> ## ? ?Create file, dir, links of specified type in
> >> ## ?kde_shared_home_t dirs with type transition
> >> ## </summary>
> >> ## <param name="domain">
> >> ## ? ?<summary>
> >> ## ? ?Domain allowed access
> >> ## ? ?</summary>
> >> ## </param>
> >> ## <param name="private type">
> >> ## ? ?<summary>
> >> ## ? ?Private type of created object
> >> ## ? ?</summary>
> >> ## </param>
> >> #
> >> interface(`files_kde_home_filetrans',`
> >> ? ? ? gen_require(`
> >> ? ? ? ? ? ? ? type kde_shared_home_t;
> >> ? ? ? ')
> >>
> >> ? ? ? ? ?type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
> >>
> >> ')
> > This is a bad idea. processes should not type transition to type that they do not own.
> > use manage_files_pattern instead.
> >>
> 
> This is because of konqueror config files in directory
> ~/.kde/share/config/. The directory has type kde_shared_home_t and
> config files konqueror_home_t. Now, when theese files are rewritten,
> they switch to directory type kde_shared_home_t without this type
> transition. This is unwanted, as they should hold their own type
> konqueror_home_t. I tried to keep the functionality with
> manage_files_pattern, but I was unsuccecful. When I think of it more,
> I don't agree that process is type transitioning to type that it
> doesn't own. As it is called by process konqueror_t and the files
> switch to type konqueror_home_t. But it can probably be called with
> whatever type one wants, though it is not in my policy, so I think it
> is not an issue, or is it?
> 
The location is owned by kde (its called .kde) and konqueror needs to manage files there so i really think manage_file_pattern is better

The name of the type kde_shared_home_t also suggest that. it is a location with object that kde shares with other domains for example konqueror. kde owns the (shared) location and konqueror manages stuff there.

my $0.2 , i might be wrong about it.

> Thanks for your time,
> Ondrej Vadinsky
> 
> -- 
> "Don't it always seem to go
> That you don't know what you've got
> Till it's gone."
> 
>                                          (Joni Mitchell)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090910/f93def20/attachment.bin