[refpolicy] [PATCH v2 2/3] openoffice: minor update

Chris PeBenito pebenito at ieee.org
Wed May 24 00:37:23 UTC 2017


On 05/23/2017 04:27 PM, Guido Trentalancia via refpolicy wrote:
> Minor update for the Apache OpenOffice(R) module: part 2/3.
>
> This patch introduces a few minor changes to the Apache
> OpenOffice(R) module, including fixes for smoother integration
> with gnome.
>
> It does no longer require the userdomain interface that was
> previously introduced with part 1/3 (now dropped) because
> it now uses an OpenOffice interface (thanks to Christopher
> PeBenito for suggesting this improvement).
>
> This is the second version (v2).
>
> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> ---
>  policy/modules/contrib/openoffice.if |   22 ++++++++++++++++++++++
>  policy/modules/contrib/openoffice.te |   17 +++++++++++++++++
>  2 files changed, 39 insertions(+)
>
> --- a/policy/modules/contrib/openoffice.if	2017-05-23 21:34:17.449592081 +0200
> +++ b/policy/modules/contrib/openoffice.if	2017-05-23 22:10:07.600583291 +0200
> @@ -86,3 +86,25 @@ interface(`ooffice_rw_tmp_files',`
>
>  	rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
>  ')
> +
> +#######################################
> +## <summary>
> +##	Send and receive dbus messages
> +##	from and to the openoffice
> +##	domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`ooffice_dbus_chat',`
> +	gen_require(`
> +		type ooffice_t;
> +		class dbus send_msg;
> +	')
> +
> +	allow $1 ooffice_t:dbus send_msg;
> +	allow ooffice_t $1:dbus send_msg;
> +')
> --- a/policy/modules/contrib/openoffice.te	2017-05-23 21:34:17.461592081 +0200
> +++ b/policy/modules/contrib/openoffice.te	2017-05-23 22:09:20.740583482 +0200
> @@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_t
>
>  can_exec(ooffice_t, ooffice_exec_t)
>
> +kernel_dontaudit_read_system_state(ooffice_t)
> +
>  corecmd_exec_bin(ooffice_t)
>  corecmd_exec_shell(ooffice_t)
>
>  dev_read_sysfs(ooffice_t)
>  dev_read_urand(ooffice_t)
>
> +domain_use_interactive_fds(ooffice_t)
> +
>  files_getattr_all_dirs(ooffice_t)
>  files_getattr_all_files(ooffice_t)
>  files_getattr_all_symlinks(ooffice_t)
> @@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice
>  sysnet_dns_name_resolve(ooffice_t)
>
>  userdom_dontaudit_exec_user_home_content_files(ooffice_t)
> +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
> +
>  userdom_read_user_tmp_files(ooffice_t)
>  userdom_manage_user_home_content_dirs(ooffice_t)
>  userdom_manage_user_home_content_files(ooffice_t)
>  userdom_manage_user_home_content_symlinks(ooffice_t)
>  userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
>
> +userdom_manage_user_tmp_sockets(ooffice_t)
> +
> +userdom_use_inherited_user_terminals(ooffice_t)
> +
>  tunable_policy(`openoffice_allow_update',`
>  	corenet_tcp_connect_http_port(ooffice_t)
>  ')
> @@ -111,6 +121,8 @@ optional_policy(`
>
>  optional_policy(`
>  	dbus_all_session_bus_client(ooffice_t)
> +
> +	ooffice_dbus_chat(ooffice_t)

This results in ooffice_t doing a dbus chat to itself and that's it. 
Shouldn't this access be in oofice_role() so it applies to the user domains?

>  ')
>
>  optional_policy(`
> @@ -119,6 +131,11 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	gnome_dbus_chat_gconfd(ooffice_t)
> +	gnome_stream_connect_gconf(ooffice_t)
> +')
> +
> +optional_policy(`
>  	hostname_exec(ooffice_t)
>  ')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito


More information about the refpolicy mailing list