[refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work.

[refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work.

[Nicky726]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-KDE-and-Konqueror-policy.patch
Type: text/x-patch
Size: 16497 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100130/c3ce5909/attachment.bin 

[refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work.

[Dominick Grift]

On 01/30/2010 04:02 PM, Nicky726 wrote:
> 

Just some comments and suggestions below:

> allow konqueror_t $2:process signal_perms;

I would call an interface in the user domain instead

> +	dontaudit $2 konqueror_t:process { noatsecure siginh rlimitinh };

This is most likely not required

> +	# X access, Home files
> +	manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> +	manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> +	manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> +	relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> +	relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> +	relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)

This is most likely not required ( is included with
userdom_user_home_content()

yet:

> +# Temp acces for konqueror
> +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)

This does probably require the user to be able to manage it


> +corenet_tcp_sendrecv_all_if(konqueror_t)
> +corenet_tcp_sendrecv_all_nodes(konqueror_t)
> +corenet_tcp_sendrecv_all_ports(konqueror_t)

use generic instead of all

> +# Use shared libs
> +libs_use_ld_so(konqueror_t)
> +libs_use_shared_libs(konqueror_t)

Not required

> +xserver_read_xdm_tmp_files(konqueror_t)
> +xserver_read_user_xauth(konqueror_t)
> +xserver_stream_connect(konqueror_t) #connect to xserver
> +xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver

Probably better to use xserver_user_x_domain_template()

> +        konqueror_role(staff_r, staff_t)
> +')
> +

Should probably go into userdomain (common use template), but i believe
that for reference policy these calls are not required at all (gets
called automatically)

> +        konqueror_role(user_r, user_t)
> +')

Same as above

> +        konqueror_role(unconfined_r, unconfined_t)
> +')
> +

Not sure whether it is a good idea run let unconfined_t transition

> +HOME_DIR/\.kde/share/config/konq_history	--	gen_context(system_u:object_r:konqueror_home_t,s0)
> +
> +HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> +
> +HOME_DIR/\.kde/share/config/konqsidebartng.rc	--	gen_context(system_u:object_r:konqueror_home_t,s0)
> +
> +HOME_DIR/\.kde/share/config/kuriikwsfilterrc	--	gen_context(system_u:object_r:konqueror_home_t,s0)
> +
> +HOME_DIR/\.kde/share/apps/konqueror(/.*)?		gen_context(system_u:object_r:konqueror_home_t,s0)
> +
> +HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)

Why not just kde_shared_home_t for everything in ~/.kde

> +	#allow $2 konqueror_t:fd use;
> +	#allow $2 konqueror_t:shm { associate getattr };
> +	#allow $2 konqueror_t:shm { unix_read unix_write };

Not required i believe.

> +# Temp acces for konqueror
> +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)

where is the file trans pattern? files_tmp_filetrans

> +gen_tunable(konqueror_exec_bin_t, false)

This shouldnt be tunable

> +	#allow $2 konqueror_t:unix_stream_socket connectto;

i would use konqueror_stream_connect($2)







> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100130/01c50b08/attachment.bin 

[refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work.

[Nicky726]

Thanks for your comments, I'll provide a better patch soon. In the meantime 
just some notes and questions.
 
> > +# Temp acces for konqueror
> > +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> > +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> 
> This does probably require the user to be able to manage it

What do you mean by this?

> > +        konqueror_role(staff_r, staff_t)
> > +')
> > +
> 
> Should probably go into userdomain (common use template), but i believe
> that for reference policy these calls are not required at all (gets
> called automatically)
> 
> > +        konqueror_role(user_r, user_t)
> > +')
> 
> Same as above
> 
> > +        konqueror_role(unconfined_r, unconfined_t)
> > +')
> > +
> 
> Not sure whether it is a good idea run let unconfined_t transition

Well I'm definitely confused about where to place these calls. Fedora has it 
somewhere, refpolicy elsewhere. Could somebody provide explanation about it?

> 
> > +HOME_DIR/\.kde/share/config/konq_history	--	gen_context(system_u:object_
> >r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_
> >r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/konqsidebartng.rc	--	gen_context(system_u:ob
> >ject_r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/config/kuriikwsfilterrc	--	gen_context(system_u:obj
> >ect_r:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/apps/konqueror(/.*)?		gen_context(system_u:object_r
> >:konqueror_home_t,s0) +
> > +HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:ko
> >nqueror_home_t,s0)
> 
> Why not just kde_shared_home_t for everything in ~/.kde
> 

Well, I hope this policy to be just a first step in constructing policies for 
other KDE aplications, which I think should be also confined from each other, 
so that e.g. a weakness in KDE browser would not endager contacts in KDE mail 
client. 

> > +gen_tunable(konqueror_exec_bin_t, false)
> 
> This shouldnt be tunable

Hm, I made it tunable, because I didn't feel quite right to let konqueror run 
bin_t just because of some bug reporting tool. Maybe that was not good idea... 
Any special reasons why it sould not be tunable?

Thanx for your time,
Ondrej Vadinsk?

-- 
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.

		(Joni Mitchell)

[refpolicy] [PATCH 1/1] Added KDE and Konqueror policy. Made necessary changes in staff, unprivuser and unconfined, for it to work.

[Dominick Grift]

On 01/30/2010 08:02 PM, Nicky726 wrote:
> Thanks for your comments, I'll provide a better patch soon. In the meantime 
> just some notes and questions.
>  
>>> +# Temp acces for konqueror
>>> +manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>> +manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>>
>> This does probably require the user to be able to manage it

Well this content (i assume) is shared between konqueror and users. So
in that case users must be able to manage this content.

> What do you mean by this?
> 
>>> +        konqueror_role(staff_r, staff_t)
>>> +')
>>> +
>>
>> Should probably go into userdomain (common use template), but i believe
>> that for reference policy these calls are not required at all (gets
>> called automatically)
>>
>>> +        konqueror_role(user_r, user_t)
>>> +')

Fedora calls role templates in userdom.if (the common user template)
Refpolicy (i think) uses a mechanism that automatically calls the per
role templates. So you do not have to call the template explicitly like
you do above.

>> Same as above
>>
>>> +        konqueror_role(unconfined_r, unconfined_t)
>>> +')
>>> +
>>
>> Not sure whether it is a good idea run let unconfined_t transition
> 
> Well I'm definitely confused about where to place these calls. Fedora has it 
> somewhere, refpolicy elsewhere. Could somebody provide explanation about it?
> 
>>
>>> +HOME_DIR/\.kde/share/config/konq_history	--	gen_context(system_u:object_
>>> r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_
>>> r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/konqsidebartng.rc	--	gen_context(system_u:ob
>>> ject_r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/config/kuriikwsfilterrc	--	gen_context(system_u:obj
>>> ect_r:konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/apps/konqueror(/.*)?		gen_context(system_u:object_r
>>> :konqueror_home_t,s0) +
>>> +HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:ko
>>> nqueror_home_t,s0)
>>
>> Why not just kde_shared_home_t for everything in ~/.kde
>>
> 
> Well, I hope this policy to be just a first step in constructing policies for 
> other KDE aplications, which I think should be also confined from each other, 
> so that e.g. a weakness in KDE browser would not endager contacts in KDE mail 
> client. 
> 
I see. The issue i guess is the "filetrans_pattern". It is not in the
base module. That means you will probably use it in an optional policy
block Also you will not be able to use attributes for this type of
content properly. Other than that i agree that it is a good idea. The
problem is that refpolicy propbably will not accept it.

>>> +gen_tunable(konqueror_exec_bin_t, false)
>>
>> This shouldnt be tunable
> 
> Hm, I made it tunable, because I didn't feel quite right to let konqueror run 
> bin_t just because of some bug reporting tool. Maybe that was not good idea... 
> Any special reasons why it sould not be tunable?

Well i think tunables should only de used for things that affect
security in significant ways. You could consider to just dontaudit it
altogether although that is not a proper solution either.

> Thanx for your time,
> Ondrej Vadinsk?
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100130/89a9f587/attachment.bin