[refpolicy] kdialog and Chromium

Christopher J. PeBenito cpebenito at tresys.com
Tue Jul 31 13:32:39 CDT 2012


On 07/27/12 05:12, Sven Vermeulen wrote:
> On Fri, Jul 27, 2012 at 04:14:43PM +1000, Russell Coker wrote:
>> Currently on Debian/Wheezy it's impossible to download files in Chromium when 
>> you are running a KDE session.
>>
>> Chromium launches kdialog to display the dialog box to ask where the file 
>> should be saves.  kdialog wants to write to files such as 
>> ~/.kde/share/config/kdebugrc.lock which isn't permitted for mozilla_t.
>>
>> One possibility that occurs to me is to have kdialog transition to user_t.  
>> Transitioning from mozilla_t isn't generally a good thing, and breaks the case 
>> of running mozilla_t from multiple user domains (multiple user domains is 
>> essentially a broken feature of the policy anyway).
>>
>> Apart from modifying kdialog to not depend on the ability to write to 
>> kdebugrc.lock what can I do to solve this?
> 
> Russel, sorry for sending you previous mails privately, wasn't my intention.
> 
> As I said, I'm working on a (separate[1]) domain for chromium and hit similar
> issues too (for instance when accessing ~/.pki) since I am trying to get the
> browsers running without requiring access to user_home_t stuff.
> 
> Perhaps we can allow for a sharable lock file type (kde_lock_t) and allow
> the domain search rights in the kde_home_t stuff (I'm assuming these are the
> domains, I don't have any kde_* stuff here) and an automated file transition
> when a file with the name "kdebugrc.lock" is written in kde_home_t to
> kde_lock_t ?

At the moment, I don't have any suggestions beyond something like this.  Not unless you want a conditional for writing out files to the home dir.

> [1] Chromium itself can be built with SELinux-enabled, but then requires
> that the policy supports a domain called chromium_renderer_t (which it
> dynamically transitions to). It doesn't make sense to include this in the
> mozilla_t domain.

Is chromium_renderer_t hard coded into Chromium or does it sanely expect an appconfig file (like initrc_context or userhelper_context)?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list