commit: 510589e13d0ae9fa2672673524eab27f833cce1c
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed May 24 00:59:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=510589e1
openoffice: minor update
Minor update for the Apache OpenOffice(R) module: part 2/3.
This patch introduces a few minor changes to the Apache
OpenOffice(R) module, including fixes for smoother integration
with gnome.
It does no longer require the userdomain interface that was
previously introduced with part 1/3 (now dropped) because
it now uses an OpenOffice interface (thanks to Christopher
PeBenito for suggesting this improvement).
This is the third version (v3).
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 15 +++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/openoffice.if
b/policy/modules/contrib/openoffice.if
index 19f62381..4cb669c8 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -29,6 +29,10 @@ interface(`ooffice_role',`
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
+
+ optional_policy(`
+ ooffice_dbus_chat($2)
+ ')
')
########################################
@@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/openoffice.te
b/policy/modules/contrib/openoffice.te
index fe241429..01244b94 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file
sock_file })
can_exec(ooffice_t, ooffice_exec_t)
+kernel_dontaudit_read_system_state(ooffice_t)
+
corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)
dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)
+domain_use_interactive_fds(ooffice_t)
+
files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice_t)
sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+
userdom_read_user_tmp_files(ooffice_t)
userdom_manage_user_home_content_dirs(ooffice_t)
userdom_manage_user_home_content_files(ooffice_t)
userdom_manage_user_home_content_symlinks(ooffice_t)
userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file
lnk_file fifo_file sock_file })
+userdom_manage_user_tmp_sockets(ooffice_t)
+
+userdom_use_inherited_user_terminals(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
@@ -119,6 +129,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
hostname_exec(ooffice_t)
')
