From: nicky726@gmail.com (Nicky726)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Basic policy for KDE and Konqueror, third look
Date: Wed, 27 Jan 2010 16:23:36 +0100 [thread overview]
Message-ID: <201001271623.37040.Nicky726@gmail.com> (raw)
In-Reply-To: <1253107894.27614.45.camel@gorn.columbia.tresys.com>
Hello,
here I am again after some time, with my Konqueror policy related questions. I
was too busy with the school, but by now I managed to incorporate almost all
commets by Chris PeBenito, I only need to do some testing, which is where I
got stuck again.
I've got this ugly hack just for testing purposes:
gen_require(`
type unconfined_t;
role unconfined_r;
')
konqueror_role(unconfined_r, unconfined_t)
in konqueror.te so that Konqueror is run in correct context. (work-in-progress
.if file inculeded). Problem is that, when I run Konqueror, context is not
changed, it still is unconfined...
Did I missed some revolutionary change in refpolicy or Fedora in last 4
months, which causes this, or have I some stupid mistake in my policy?
I was also trying to put this konqueror_role call somewhere, where it should
be -- not that I'm sure, where it is, as there is big difference between
refpolicy and Fedora. To make it short there is too much code for me to
follow, and too much changes in Fedora policy patches. How do the refpolicy
developpers test their policies btw?
Guess thats all for now. Thanks for your answers and patience,
Ondrej Vadinsky
--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.
(Joni Mitchell)
-------------- next part --------------
## <summary>Konqueror KDE web browser</summary>
########################################
## <summary>
## Role access for konqueror
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`konqueror_role',`
gen_require(`
type konqueror_t, konqueror_exec_t, konqueror_home_t;
')
#TODO Test what is really needed!
role $1 types konqueror_t;
konqueror_domtrans($2)
# Unrestricted inheritance from the caller.
allow konqueror_t $2:fd use;
allow konqueror_t $2:process signal_perms;
dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2, konqueror_t)
allow $2 konqueror_t:process signal_perms;
allow $2 konqueror_t:fd use;
allow $2 konqueror_t:shm { associate getattr };
allow $2 konqueror_t:shm { unix_read unix_write };
allow $2 konqueror_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
userdom_stream_connect(konqueror_t)
# Allow konqueror to acquire dbus service from user domain and chat with konqueror
# This is workaround for not yet implemented interface in dbus
optional_policy(`
gen_require(`
class dbus acquire_svc;
')
allow konqueror_t $2:dbus acquire_svc;
')
konqueror_dbus_chat($2)
')
########################################
## <summary>
## Execute a domain transition to run konqueror.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`konqueror_domtrans',`
gen_require(`
type konqueror_t;
type konqueror_exec_t;
')
domtrans_pattern($1,konqueror_exec_t,konqueror_t)
')
########################################
## <summary>
## Search konqueror rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_search_home',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:dir search_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read konqueror rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_read_home_files',`
gen_require(`
type konqueror_home_t;
')
allow $1 konqueror_home_t:file read_file_perms;
allow $1 konqueror_home_t:dir list_dir_perms;
files_search_rw($1)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_files',`
gen_require(`
type konqueror_home_t;
')
manage_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t symlinks.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_symlinks',`
gen_require(`
type konqueror_home_t;
')
manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage konqueror_home_t directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_manage_home_dirs',`
gen_require(`
type konqueror_home_t;
')
manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t);
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Send and receive messages from
## konqueror over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`konqueror_dbus_chat',`
gen_require(`
type konqueror_t;
class dbus send_msg;
')
allow $1 konqueror_t:dbus send_msg;
allow konqueror_t $1:dbus send_msg;
')
########################################
## <summary>
## All of the rules required to administrate
## an konqueror environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the konqueror domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`konqueror_admin',`
gen_require(`
type konqueror_t;
')
allow $1 konqueror_t:process { ptrace signal_perms getattr };
read_files_pattern($1, konqueror_t, konqueror_t)
konqueror_manage_home($1)
optional_policy(`
kde_manage_tmp($1)
')
')
next prev parent reply other threads:[~2010-01-27 15:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-14 9:20 [refpolicy] Basic policy for KDE and Konqueror, third look Nicky726
2009-09-16 13:31 ` Christopher J. PeBenito
2010-01-27 15:23 ` Nicky726 [this message]
2010-01-27 19:23 ` Justin P. Mattock
2010-01-27 19:42 ` Nicky726
2010-01-27 19:47 ` Justin P. Mattock
-- strict thread matches above, loose matches on Subject: below --
2009-09-12 12:47 Nicky 726
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201001271623.37040.Nicky726@gmail.com \
--to=nicky726@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.