Howto enable or disable clipboard with selinux?

Howto enable or disable clipboard with selinux?

[Shaz]

[-- Attachment #1: Type: text/plain, Size: 184 bytes --]

Dear list,

I want to enable or disable the clipboard with booleans. Is there any
available policy that can do this? If not please indicate the relevant place
to start with.

-- 
Shaz

[-- Attachment #2: Type: text/html, Size: 219 bytes --]

[refpolicy] Howto enable or disable clipboard with selinux?

[Shaz]

Dear list,

I want to enable or disable the clipboard with booleans. Is there any
available policy that can do this? If not please indicate the relevant place
to start with.

-- 
Shaz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100515/44871fba/attachment.html 

[refpolicy] Howto enable or disable clipboard with selinux?

[Dominick Grift]

On 05/15/2010 07:50 PM, Shaz wrote:
> Dear list,
> 
> I want to enable or disable the clipboard with booleans. Is there any
> available policy that can do this? If not please indicate the relevant place
> to start with.

There is no boolean to enable/disable clipboard functionality.

You would have to enable the xserver access control extension (setsebool
-P xserver_object_manager on && reboot) and modify the policy to
grant/deny access to copy to and read from the clipboard.

Which might not be easy to do. I forgot which classes and permissions
control this and "XACE" provides plenty classes and permissions.

I have, however, a while ago created a screen cast in which i
demonstrate how to confine a GUI user app (google-gadgets) with the
Xserver access control extension enabled. (it is on youtube "SELinux
confined a GUI app". If i remember correct it also touches on the
clipboard issue wrt google-gadgets.

> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100515/2da8ad37/attachment.bin 

Re: Howto enable or disable clipboard with selinux?

[Shaz]

On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
> Dear list,
>
> I want to enable or disable the clipboard with booleans. Is there any
> available policy that can do this? If not please indicate the relevant place
> to start with.

There was a flaw in this question that someone on selinux irc
explained to me. We need to control an application's access to
booleans. But I am still not sure how much and what effort it
requires? Pointer to tutorials or some guidance will be appreciated.

Which version of XACE can do this going as back and earlier as possible?


-- 
Shaz

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Howto enable or disable clipboard with selinux?

[Shaz]

On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
> Dear list,
>
> I want to enable or disable the clipboard with booleans. Is there any
> available policy that can do this? If not please indicate the relevant place
> to start with.

There was a flaw in this question that someone on selinux irc
explained to me. We need to control an application's access to
booleans. But I am still not sure how much and what effort it
requires? Pointer to tutorials or some guidance will be appreciated.

Which version of XACE can do this going as back and earlier as possible?


-- 
Shaz

Re: Howto enable or disable clipboard with selinux?

[Eamon Walsh]

On 05/19/2010 11:33 AM, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
>   
>> Dear list,
>>
>> I want to enable or disable the clipboard with booleans. Is there any
>> available policy that can do this? If not please indicate the relevant place
>> to start with.
>>     
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.
>
> Which version of XACE can do this going as back and earlier as possible?
>
>
>   


You could deny access to the clipboard by labeling the PRIMARY,
SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
context that application domains don't have permissions to access.  But
this will result in BadAccess X protocol errors being returned to the
application, which will probably abort() as a result (the standard Xlib
error handling method is to call abort).

You could also polyinstantiate X selections, which would cause the
clipboard to stop working unless the two parties (selection owner and
ConvertSelection request issuer) have the exact same context.  But if
you do this, be aware that there are other selections (besides the
clipboard ones) that you will need to keep as single instances if you
want things like D-Bus to work.  Finding and dealing with all of these
is a topic of interest at the moment.

An x_contexts file with the following "selections" section would
implement the second option (the file is located in the contexts/
directory of the SELinux policy configuration):

#
##
### Rules for X Selections
##
#

# Put all your single-instance exceptions here
selection @server=ibus			system_u:object_r:xselection_t:s0
selection _DBUS_*			system_u:object_r:xselection_t:s0

# Default fallback type, will polyinstantiate everything else
poly_selection *			system_u:object_r:xselection_t:s0






-- 

Eamon Walsh 
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Howto enable or disable clipboard with selinux?

[Eamon Walsh]

On 05/19/2010 11:33 AM, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
>   
>> Dear list,
>>
>> I want to enable or disable the clipboard with booleans. Is there any
>> available policy that can do this? If not please indicate the relevant place
>> to start with.
>>     
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.
>
> Which version of XACE can do this going as back and earlier as possible?
>
>
>   


You could deny access to the clipboard by labeling the PRIMARY,
SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
context that application domains don't have permissions to access.  But
this will result in BadAccess X protocol errors being returned to the
application, which will probably abort() as a result (the standard Xlib
error handling method is to call abort).

You could also polyinstantiate X selections, which would cause the
clipboard to stop working unless the two parties (selection owner and
ConvertSelection request issuer) have the exact same context.  But if
you do this, be aware that there are other selections (besides the
clipboard ones) that you will need to keep as single instances if you
want things like D-Bus to work.  Finding and dealing with all of these
is a topic of interest at the moment.

An x_contexts file with the following "selections" section would
implement the second option (the file is located in the contexts/
directory of the SELinux policy configuration):

#
##
### Rules for X Selections
##
#

# Put all your single-instance exceptions here
selection @server=ibus			system_u:object_r:xselection_t:s0
selection _DBUS_*			system_u:object_r:xselection_t:s0

# Default fallback type, will polyinstantiate everything else
poly_selection *			system_u:object_r:xselection_t:s0






-- 

Eamon Walsh 
National Security Agency

Re: Howto enable or disable clipboard with selinux?

[Shaz]

> You could deny access to the clipboard by labeling the PRIMARY,
> SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
> context that application domains don't have permissions to access.  But
> this will result in BadAccess X protocol errors being returned to the
> application, which will probably abort() as a result (the standard Xlib
> error handling method is to call abort).
>
> You could also polyinstantiate X selections, which would cause the
> clipboard to stop working unless the two parties (selection owner and
> ConvertSelection request issuer) have the exact same context.  But if
> you do this, be aware that there are other selections (besides the
> clipboard ones) that you will need to keep as single instances if you
> want things like D-Bus to work.  Finding and dealing with all of these
> is a topic of interest at the moment.
>
> An x_contexts file with the following "selections" section would
> implement the second option (the file is located in the contexts/
> directory of the SELinux policy configuration):
>
> #
> ##
> ### Rules for X Selections
> ##
> #
>
> # Put all your single-instance exceptions here
> selection @server=ibus                  system_u:object_r:xselection_t:s0
> selection _DBUS_*                       system_u:object_r:xselection_t:s0
>
> # Default fallback type, will polyinstantiate everything else
> poly_selection *                        system_u:object_r:xselection_t:s0
>

I am finding this difficult to follow ... plz suggest some background
reading, which is less time consuming.

-- 
Shaz


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Howto enable or disable clipboard with selinux?

[Shaz]

> You could deny access to the clipboard by labeling the PRIMARY,
> SECONDARY, and CLIPBOARD selections (in the x_contexts file) with a
> context that application domains don't have permissions to access. ?But
> this will result in BadAccess X protocol errors being returned to the
> application, which will probably abort() as a result (the standard Xlib
> error handling method is to call abort).
>
> You could also polyinstantiate X selections, which would cause the
> clipboard to stop working unless the two parties (selection owner and
> ConvertSelection request issuer) have the exact same context. ?But if
> you do this, be aware that there are other selections (besides the
> clipboard ones) that you will need to keep as single instances if you
> want things like D-Bus to work. ?Finding and dealing with all of these
> is a topic of interest at the moment.
>
> An x_contexts file with the following "selections" section would
> implement the second option (the file is located in the contexts/
> directory of the SELinux policy configuration):
>
> #
> ##
> ### Rules for X Selections
> ##
> #
>
> # Put all your single-instance exceptions here
> selection @server=ibus ? ? ? ? ? ? ? ? ?system_u:object_r:xselection_t:s0
> selection _DBUS_* ? ? ? ? ? ? ? ? ? ? ? system_u:object_r:xselection_t:s0
>
> # Default fallback type, will polyinstantiate everything else
> poly_selection * ? ? ? ? ? ? ? ? ? ? ? ?system_u:object_r:xselection_t:s0
>

I am finding this difficult to follow ... plz suggest some background
reading, which is less time consuming.

-- 
Shaz

Re: [refpolicy] Howto enable or disable clipboard with selinux?

[Christopher J. PeBenito]

On Wed, 2010-05-19 at 20:33 +0500, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
> > Dear list,
> >
> > I want to enable or disable the clipboard with booleans. Is there any
> > available policy that can do this? If not please indicate the relevant place
> > to start with.
> 
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.

If you want to allow changing Booleans on a coarse level (all or
nothing), you just need to allow the setbool permission.  The
selinux_set_generic_booleans() or selinux_set_all_booleans() interfaces
should be sufficient for this.

If you want to be fine grained, you can label the selinuxfs entry for
the boolean using the selinux_labeled_boolean() interface.  For example
if you wanted to label the "disable_clipboard" boolean:

type my_boolean_t;
selinux_labeled_boolean(my_boolean_t, disable_clipboard)

Then you would need to allow rw permissions on the my_boolean_t file, in
addition to the setbool permission.  The caveat on this is that the
selinux_labeled_boolean() call and type declaration must be in the base
module, if you use a modular policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Howto enable or disable clipboard with selinux?

[Christopher J. PeBenito]

On Wed, 2010-05-19 at 20:33 +0500, Shaz wrote:
> On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@gmail.com> wrote:
> > Dear list,
> >
> > I want to enable or disable the clipboard with booleans. Is there any
> > available policy that can do this? If not please indicate the relevant place
> > to start with.
> 
> There was a flaw in this question that someone on selinux irc
> explained to me. We need to control an application's access to
> booleans. But I am still not sure how much and what effort it
> requires? Pointer to tutorials or some guidance will be appreciated.

If you want to allow changing Booleans on a coarse level (all or
nothing), you just need to allow the setbool permission.  The
selinux_set_generic_booleans() or selinux_set_all_booleans() interfaces
should be sufficient for this.

If you want to be fine grained, you can label the selinuxfs entry for
the boolean using the selinux_labeled_boolean() interface.  For example
if you wanted to label the "disable_clipboard" boolean:

type my_boolean_t;
selinux_labeled_boolean(my_boolean_t, disable_clipboard)

Then you would need to allow rw permissions on the my_boolean_t file, in
addition to the setbool permission.  The caveat on this is that the
selinux_labeled_boolean() call and type declaration must be in the base
module, if you use a modular policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com