[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2010 12:16 PM, Nicky726 wrote:
> Hello,
> 
> while working on confinement of selected KDE apps, I came to following issue:
> 
> Directories ~/.config, ~/.local, ~/.local/share (and possibly others) are 
> labeled as config_home_t, gconf_home_t and data_home_t all owned by gnome 
> module. These directories are used by much more programs than just GNOME, 
> ranging from KDE apps, pure Qt or GTK apps to for exaple ibus. User's trash is 
> also put in one of those. 
> Therefore I think, that the directories should be labeled with types that are 
> owned by another application/DE unspecific module (Dominick Grift in 
> conversation mentioned these are part of freedesktop specifications, so I 
> guess it can be named eg. freedesktop). And their naming should also resign 
> from application specific names, which is the case of gconf_home_t for 
> ~/.local.
> 
> Regards,
> Ondrej Vadinsky
That is fine, and messages like this should go to the refpolicy mail
list. refpolicy at oss.tresys.com

We have lots of types that have used specific applications and ended up
being used by other applications.  We have not gone back and changed the
names, mainly because of the hassle.  For example.

/usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkySbl8ACgkQrlYvE4MpobOaWgCeJPh7wPZ5Hrxd+7MzR5AT3t8I
S7sAoKrglUIHF0Jyrq9RAa7RPr5I4SLF
=yLI2
-----END PGP SIGNATURE-----

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Nicky726]

Dne ?t 16. z??? 2010 21:22:07 jste napsal(a):
> On 09/16/2010 12:16 PM, Nicky726 wrote:
> > Hello,
> > 
> > while working on confinement of selected KDE apps, I came to following
> > issue:
> > 
> > Directories ~/.config, ~/.local, ~/.local/share (and possibly others) are
> > labeled as config_home_t, gconf_home_t and data_home_t all owned by gnome
> > module. These directories are used by much more programs than just GNOME,
> > ranging from KDE apps, pure Qt or GTK apps to for exaple ibus. User's
> > trash is also put in one of those.
> > Therefore I think, that the directories should be labeled with types that
> > are owned by another application/DE unspecific module (Dominick Grift in
> > conversation mentioned these are part of freedesktop specifications, so
> > I guess it can be named eg. freedesktop). And their naming should also
> > resign from application specific names, which is the case of
> > gconf_home_t for ~/.local.
> > 
> > Regards,
> > Ondrej Vadinsky
> 
> That is fine, and messages like this should go to the refpolicy mail
> list. refpolicy at oss.tresys.com

Those types seem to be part of Fedora SELinux policy, I could not find them in 
refpolicy, therefore I wrote to Fedora mailing list.

> We have lots of types that have used specific applications and ended up
> being used by other applications.  We have not gone back and changed the
> names, mainly because of the hassle.  For example.
> 
> /usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0

Uh, ok, if you say so.

Regards,
Ondrej Vadinsky

-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2010 05:13 PM, Nicky726 wrote:
> Dne ?t 16. z??? 2010 21:22:07 jste napsal(a):
>> On 09/16/2010 12:16 PM, Nicky726 wrote:
>>> Hello,
>>>
>>> while working on confinement of selected KDE apps, I came to following
>>> issue:
>>>
>>> Directories ~/.config, ~/.local, ~/.local/share (and possibly others) are
>>> labeled as config_home_t, gconf_home_t and data_home_t all owned by gnome
>>> module. These directories are used by much more programs than just GNOME,
>>> ranging from KDE apps, pure Qt or GTK apps to for exaple ibus. User's
>>> trash is also put in one of those.
>>> Therefore I think, that the directories should be labeled with types that
>>> are owned by another application/DE unspecific module (Dominick Grift in
>>> conversation mentioned these are part of freedesktop specifications, so
>>> I guess it can be named eg. freedesktop). And their naming should also
>>> resign from application specific names, which is the case of
>>> gconf_home_t for ~/.local.
>>>
>>> Regards,
>>> Ondrej Vadinsky
>>
>> That is fine, and messages like this should go to the refpolicy mail
>> list. refpolicy at oss.tresys.com
> 
> Those types seem to be part of Fedora SELinux policy, I could not find them in 
> refpolicy, therefore I wrote to Fedora mailing list.
> 
>> We have lots of types that have used specific applications and ended up
>> being used by other applications.  We have not gone back and changed the
>> names, mainly because of the hassle.  For example.
>>
>> /usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0
> 
> Uh, ok, if you say so.
> 
> Regards,
> Ondrej Vadinsky
> 
BTW I am not arguing with you and since they are not in refpolicy yet,
it makes it easier to change them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkySjVgACgkQrlYvE4MpobOubQCdGzilPuXdfG14pnmZlsrkaeSu
+c0AniORKRJMkLBoYAbAynSuKCku2A8D
=F+x5
-----END PGP SIGNATURE-----

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Nicky726]

Dne ?t 16. z??? 2010 23:34:16 jste napsal(a): 
> On 09/16/2010 05:13 PM, Nicky726 wrote:
> > Dne ?t 16. z??? 2010 21:22:07 jste napsal(a):
> >> On 09/16/2010 12:16 PM, Nicky726 wrote:
> >>> Hello,
> >>> 
> >>> while working on confinement of selected KDE apps, I came to following
> >>> issue:
> >>> 
> >>> Directories ~/.config, ~/.local, ~/.local/share (and possibly others)
> >>> are labeled as config_home_t, gconf_home_t and data_home_t all owned
> >>> by gnome module. These directories are used by much more programs than
> >>> just GNOME, ranging from KDE apps, pure Qt or GTK apps to for exaple
> >>> ibus. User's trash is also put in one of those.
> >>> Therefore I think, that the directories should be labeled with types
> >>> that are owned by another application/DE unspecific module (Dominick
> >>> Grift in conversation mentioned these are part of freedesktop
> >>> specifications, so I guess it can be named eg. freedesktop). And their
> >>> naming should also resign from application specific names, which is
> >>> the case of
> >>> gconf_home_t for ~/.local.
> >>> 
> >>> Regards,
> >>> Ondrej Vadinsky
> >> 
> >> That is fine, and messages like this should go to the refpolicy mail
> >> list. refpolicy at oss.tresys.com
> > 
> > Those types seem to be part of Fedora SELinux policy, I could not find
> > them in refpolicy, therefore I wrote to Fedora mailing list.
> > 
> >> We have lots of types that have used specific applications and ended up
> >> being used by other applications.  We have not gone back and changed the
> >> names, mainly because of the hassle.  For example.
> >> 
> >> /usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0
> > 
> > Uh, ok, if you say so.
> > 
> > Regards,
> > Ondrej Vadinsky
> 
> BTW I am not arguing with you and since they are not in refpolicy yet,
> it makes it easier to change them.

I guess I misunderstood. You intend to eventually fix it then?

Regards
Ondrej Vadinsky

-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/17/2010 03:37 AM, Nicky726 wrote:
> Dne ?t 16. z??? 2010 23:34:16 jste napsal(a): 
>> On 09/16/2010 05:13 PM, Nicky726 wrote:
>>> Dne ?t 16. z??? 2010 21:22:07 jste napsal(a):
>>>> On 09/16/2010 12:16 PM, Nicky726 wrote:
>>>>> Hello,
>>>>>
>>>>> while working on confinement of selected KDE apps, I came to following
>>>>> issue:
>>>>>
>>>>> Directories ~/.config, ~/.local, ~/.local/share (and possibly others)
>>>>> are labeled as config_home_t, gconf_home_t and data_home_t all owned
>>>>> by gnome module. These directories are used by much more programs than
>>>>> just GNOME, ranging from KDE apps, pure Qt or GTK apps to for exaple
>>>>> ibus. User's trash is also put in one of those.
>>>>> Therefore I think, that the directories should be labeled with types
>>>>> that are owned by another application/DE unspecific module (Dominick
>>>>> Grift in conversation mentioned these are part of freedesktop
>>>>> specifications, so I guess it can be named eg. freedesktop). And their
>>>>> naming should also resign from application specific names, which is
>>>>> the case of
>>>>> gconf_home_t for ~/.local.
>>>>>
>>>>> Regards,
>>>>> Ondrej Vadinsky
>>>>
>>>> That is fine, and messages like this should go to the refpolicy mail
>>>> list. refpolicy at oss.tresys.com
>>>
>>> Those types seem to be part of Fedora SELinux policy, I could not find
>>> them in refpolicy, therefore I wrote to Fedora mailing list.
>>>
>>>> We have lots of types that have used specific applications and ended up
>>>> being used by other applications.  We have not gone back and changed the
>>>> names, mainly because of the hassle.  For example.
>>>>
>>>> /usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0
>>>
>>> Uh, ok, if you say so.
>>>
>>> Regards,
>>> Ondrej Vadinsky
>>
>> BTW I am not arguing with you and since they are not in refpolicy yet,
>> it makes it easier to change them.
> 
> I guess I misunderstood. You intend to eventually fix it then?
> 
> Regards
> Ondrej Vadinsky
> 
No I am saying you can suggest renames and try to get them upstream, if
you do I will convert to using them. Once they are upstream it becomes a
pain to change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyTZ2YACgkQrlYvE4MpobPYhgCcC4KjQQN5PYU4aIzicPI42Ab5
eXUAoKxiFq+N8WJ9ueFrO6xJTqFtOnQd
=NWgL
-----END PGP SIGNATURE-----

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Nicky726]

Dne P? 17. z??? 2010 15:04:38 jste napsal(a):
> No I am saying you can suggest renames and try to get them upstream, if
> you do I will convert to using them. Once they are upstream it becomes a
> pain to change.

By the upstream you mean refpolicy? Will it be a valid module, that just 
defines those types, creates interfaces to access them in ways and labels the 
directories?

Thanx,
Ondrej Vadinsky

-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Dominick Grift]

On 09/18/2010 11:42 AM, Nicky726 wrote:
> Dne P? 17. z??? 2010 15:04:38 jste napsal(a):
>> No I am saying you can suggest renames and try to get them upstream, if
>> you do I will convert to using them. Once they are upstream it becomes a
>> pain to change.
> 
> By the upstream you mean refpolicy? Will it be a valid module, that just 
> defines those types, creates interfaces to access them in ways and labels the 
> directories?

I do not think so.

Its part of a larger issue that we need to find consensus on in the
community.

The problem is that we just declare types and define contexts, but that
no module really owns it.

That does not makes sense from the perspective of SELinux?

How did these object get on the file system in the first place? which,
if any package installed them (obviously no package installs ~/.config)

I have yet to find out what creates ~/.config, I suspect it is
gnome-session (in Gnome) but i am not sure.

And even then if we find out there are other loosely related issues.

For example the other xdg directories in HOME_DIR created by XDG. Like
Downloads, Videos, Documents, Music, Pictures, Templates etc.

In Fedora, most of these are not labelled explicitly yet either with the
exception of Music i believe.

The problem here is that XDG creates these directories in the applicable
locale (language)

How would be guarantee that these locations get labelled properly for
all languages?

With regard to HOME_DIR/\{.config, .local, .cache} we rely on
restorecond to ensure proper labelling in Fedora.

I suspect that upstream however will not accept making that assumption,
thus i do not believe refpolicy will adopt fedoras' solution for dealing
with the Freedesktop XDG specifications.

Another piece in the puzzle called: confining the user space.

The key issue in my view is the we need consensus in the community about
how to go forward with the user space.

> Thanx,
> Ondrej Vadinsky
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100918/0223b5b7/attachment.bin 

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Nicky726]

Dne sobota 18 z??? 2010 19:00:01 Dominick Grift napsal(a):
> > Dne P? 17. z??? 2010 15:04:38 jste napsal(a):
> >> No I am saying you can suggest renames and try to get them upstream, if
> >> you do I will convert to using them. Once they are upstream it becomes a
> >> pain to change.
> > 
> > By the upstream you mean refpolicy? Will it be a valid module, that just
> > defines those types, creates interfaces to access them in ways and labels
> > the directories?
> 
> I do not think so.
> 
> Its part of a larger issue that we need to find consensus on in the
> community.
> 
> The problem is that we just declare types and define contexts, but that
> no module really owns it.
> 
> That does not makes sense from the perspective of SELinux?
> 
> How did these object get on the file system in the first place? which,
> if any package installed them (obviously no package installs ~/.config)
> 
> I have yet to find out what creates ~/.config, I suspect it is
> gnome-session (in Gnome) but i am not sure.

More interesting may be, if it is created by one or by more applications. It 
is used by gnome apps, kde apps, but even pure qt or gtk apps. What happens if 
an xsession with just vlc is run on an empty profile? I strongly doubt it will 
call gnome-session or some kde related setup program, as it is pure qt 
application, does not depend on etheir. There must either be some more 
highlevel program which creates it for various DE's or every app creates it by 
itself in case it does not already exist. If the firs case is true, we can find 
it and  create module for it which will own the types. If the second case is 
true, the policy should find its way to live with it in this case the module 
with just types doesn't seem that bad with me. 
Those are just my thoughts, I would really like to hear more competent people 
talking about it.
 
> And even then if we find out there are other loosely related issues.
> 
> For example the other xdg directories in HOME_DIR created by XDG. Like
> Downloads, Videos, Documents, Music, Pictures, Templates etc.
> 
> In Fedora, most of these are not labelled explicitly yet either with the
> exception of Music i believe.
> 
> The problem here is that XDG creates these directories in the applicable
> locale (language)
> 
> How would be guarantee that these locations get labelled properly for
> all languages?
> 
> With regard to HOME_DIR/\{.config, .local, .cache} we rely on
> restorecond to ensure proper labelling in Fedora.
> 
> I suspect that upstream however will not accept making that assumption,
> thus i do not believe refpolicy will adopt fedoras' solution for dealing
> with the Freedesktop XDG specifications.
> 
> Another piece in the puzzle called: confining the user space.
> 
> The key issue in my view is the we need consensus in the community about
> how to go forward with the user space.

Yes I agree.

Regards, 
Ondrej Vadinsky
-- 
Don't it always seem to go
That you don't know what you've got
Till it's gone

(Joni Mitchell)

[refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2010 03:38 PM, Nicky726 wrote:
> Dne sobota 18 z??? 2010 19:00:01 Dominick Grift napsal(a):
>>> Dne P? 17. z??? 2010 15:04:38 jste napsal(a):
>>>> No I am saying you can suggest renames and try to get them upstream, if
>>>> you do I will convert to using them. Once they are upstream it becomes a
>>>> pain to change.
>>>
>>> By the upstream you mean refpolicy? Will it be a valid module, that just
>>> defines those types, creates interfaces to access them in ways and labels
>>> the directories?
>>
>> I do not think so.
>>
>> Its part of a larger issue that we need to find consensus on in the
>> community.
>>
>> The problem is that we just declare types and define contexts, but that
>> no module really owns it.
>>
>> That does not makes sense from the perspective of SELinux?
>>
>> How did these object get on the file system in the first place? which,
>> if any package installed them (obviously no package installs ~/.config)
>>
>> I have yet to find out what creates ~/.config, I suspect it is
>> gnome-session (in Gnome) but i am not sure.
> 
> More interesting may be, if it is created by one or by more applications. It 
> is used by gnome apps, kde apps, but even pure qt or gtk apps. What happens if 
> an xsession with just vlc is run on an empty profile? I strongly doubt it will 
> call gnome-session or some kde related setup program, as it is pure qt 
> application, does not depend on etheir. There must either be some more 
> highlevel program which creates it for various DE's or every app creates it by 
> itself in case it does not already exist. If the firs case is true, we can find 
> it and  create module for it which will own the types. If the second case is 
> true, the policy should find its way to live with it in this case the module 
> with just types doesn't seem that bad with me. 
> Those are just my thoughts, I would really like to hear more competent people 
> talking about it.
>  
>> And even then if we find out there are other loosely related issues.
>>
>> For example the other xdg directories in HOME_DIR created by XDG. Like
>> Downloads, Videos, Documents, Music, Pictures, Templates etc.
>>
>> In Fedora, most of these are not labelled explicitly yet either with the
>> exception of Music i believe.
>>
>> The problem here is that XDG creates these directories in the applicable
>> locale (language)
>>
>> How would be guarantee that these locations get labelled properly for
>> all languages?
>>
>> With regard to HOME_DIR/\{.config, .local, .cache} we rely on
>> restorecond to ensure proper labelling in Fedora.
>>
>> I suspect that upstream however will not accept making that assumption,
>> thus i do not believe refpolicy will adopt fedoras' solution for dealing
>> with the Freedesktop XDG specifications.
>>
>> Another piece in the puzzle called: confining the user space.
>>
>> The key issue in my view is the we need consensus in the community about
>> how to go forward with the user space.
> 
> Yes I agree.
> 
> Regards, 
> Ondrej Vadinsky


I think the real solution to this is to put this into the kernel.  We
need to define rules that says, if I create a directory within a
directory labeled user_home_dir_t named .config, the kernel should
create it labeled config_home_t.

Any other solution including restorecond is going to be prone to failure.

Similarly we could say if an app create resolv.conf withing etc_t it
needs to labeled net_conf_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyblWQACgkQrlYvE4MpobNqdwCgsGQLlw1a6TnyPVzBPSwMleWw
M8YAn1UazRM4dDLATEO3aq5eZvknCCrs
=nykw
-----END PGP SIGNATURE-----