[refpolicy] [PATCH] Apache OpenOffice module

Guido Trentalancia guido at trentalancia.net
Tue Nov 29 14:05:04 UTC 2016


Hello.

On Tue, 29/11/2016 at 12.51 +0100, Dominick Grift via refpolicy wrote:
> On 11/29/2016 02:48 AM, Chris PeBenito wrote:
> > 
> > On 11/26/16 08:53, Dominick Grift via refpolicy wrote:
> > > 
> > > On 11/25/2016 11:41 PM, Guido Trentalancia via refpolicy wrote:
> > > > 
> > > > This is a minimal patch that I am testing to support Apache
> > > > OpenOffice
> > > > with its own module.
> > > > 
> > > > The file contexts (and initial tests) are based on the default
> > > > installation path for version 4 of the office suite.
> > > > 
> > > > Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
> > > > ---
> > [...]
> > > 
> > > 
> > > I am personally of the opinion that this module probably will not
> > > cut it
> > > in the end. Basically because it's too limited, especially
> > > considering
> > > that it uses dbus.
> > 
> > I'm unclear what the purpose of this policy is.  Users aren't going
> > to
> > expect this kind of limitation.  They should be able to edit
> > whatever
> > their user domain has access to, i.e. the same reason vim doesn't
> > have a
> > policy.
> > 
> 
> vim is a text editor. open/libre office is a office suite.
> 
> I do not believe that anyone expects the latter to be able to manage
> config, data and cache files.

It only reads ~/.cache and ~/.config, while it also needs to manage
~/.local/share files.

Indeed, on the system that I am using, it is confined by enforcing the
above. It works really well !

On the other hand, the patch proposed here simplifies things by
allowing it to manage the whole home directory content.

Of course, it can always be extended at a later time to enforce
stricter file permissions on the above mentioned hidden directories by
rethinking the whole desktop file contexts and security. But, as a
first step, I suppose the proposed module is enough.

> If you want to enforce some integrity on the desktop then you have to
> draw the line somewhere sometimes. I suppose that is what enforcing
> integrity is all about after all...

Regards,

Guido


More information about the refpolicy mailing list