Policy for Konqueror

Policy for Konqueror

[Dave Feustel]

A question from a newbie:
Has anyone developed a selinux policy for konqueror?

Thanks.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy for Konqueror

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Feustel wrote:
> A question from a newbie:
> Has anyone developed a selinux policy for konqueror?
> 
> Thanks.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
NO although the policy for firefox/mozilla would probably work.  Writing
a general purpose policy for a web browser that can do everything a web
browser is designed to do, is probably a waste of time, and will not
work the way you want.  If you have good Security Goals about the only
things you want the Browser to do, you might have a better shot.  But
the web browser being able to launch helper apps (ooffice, evince,
realplayer, mplayer, and hundreds of others make writing a good policy
near impossible.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk0BE4ACgkQrlYvE4MpobMvLgCgjU2EbLyG0M3ZdbgYJVKpFQzh
r4AAoM8/wTN45VNJwztmVe8LjeVEo7Su
=2n6+
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy for Konqueror

[Dave Feustel]

On Mon, Dec 01, 2008 at 10:35:42AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dave Feustel wrote:
> > A question from a newbie:
> > Has anyone developed a selinux policy for konqueror?
> > 
> > Thanks.
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> NO although the policy for firefox/mozilla would probably work.  Writing
> a general purpose policy for a web browser that can do everything a web
> browser is designed to do, is probably a waste of time, and will not
> work the way you want.  If you have good Security Goals about the only
> things you want the Browser to do, you might have a better shot.  But
> the web browser being able to launch helper apps (ooffice, evince,
> realplayer, mplayer, and hundreds of others make writing a good policy
> near impossible.

Thanks for the response. After I posted the question I found the
following passages in the book _SELINUX: NASA'a Opensource Security Enhanced Linux_:

(p.40)

"The KDE Desktop has so far proven more resistant to interoperation with
SELinux than its rival desktop, GNOME. The central problem is that
various KDE programs run as identically named processes. Thus SELinux
cannot assign these KDE processes to distinct domains. One result of
this inability is that KDE's temporary files sometimes cannot be labeled
with appropriate domains. Thus with respect to KDE,
SELinux policies tend either to be too restrictive or too lax. We can
hope that a future release of KDE or SELinux will somehow address this
propblem. In the meantime, for those using SELinux, GNOME is generally a
better desktop choice than KDE."

(and on p.94)

"When using KDE, you may find that several graphical applications or
features don't work properly. This occurs because KDE starts a variety
of execuables with the same process name, kdeinit. No simple fix exists
for such problems, since a simple fix would entail loosening security to
an unacceptable extent. You may find it more convenient to use a desktop
other than KDE - such as GNOME - when running SELinux.

"A workaround is to log out of KDE and remove all KDE-related temporary
files from /var/tmp. Then log into KDE and see if the problems persist."

My interest in SELinux was tweaked by the thought that perhaps a policy
for KDE or Konqueror could be developed that would cut down on the
problems I have recently been experiencing with Konqueror. Such a policy
looks pretty unlikely unless KDE and Konqueror code is recast to a more
SELinux-friendly form.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy for Konqueror

[Russell Coker]

On Tuesday 02 December 2008 03:17, Dave Feustel <dfeustel@mindspring.com> 
wrote:
> "When using KDE, you may find that several graphical applications or
> features don't work properly. This occurs because KDE starts a variety
> of execuables with the same process name, kdeinit. No simple fix exists
> for such problems, since a simple fix would entail loosening security to
> an unacceptable extent. You may find it more convenient to use a desktop
> other than KDE - such as GNOME - when running SELinux.

http://www.nsa.gov/selinux/list-archive/0504/11252.cfm

This was covered in 2004 and again in 2005.  At that time it was easy to solve 
this problem.

Recent versions of KDE seem to have made this more difficult.  I expect that 
if you were prepared to do some minor hacking on KDE source it wouldn't be 
difficult to make it run without kdeinit.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.