From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3 Description of problem: This bug is to track development on my restrict_home patch. In its present shape, this patch is not ready for merge, but I think it's moving in the right direction of providing more fine-grained labeling, so desktop programs will not require access to ROLE_home_t/ROLE_tmp_t. The version attached provides labeling for various gnome hidden folders, mime-type files, and per/user fonts. It creates macros for reading mime-types and fonts, and begins using those in several programs. It places GConf in its own domain. Finally, it removes the mozilla read_home and write_home macros, and changes mozilla to only be able to write ROLE_untrusted_content_t. Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.12-1 How reproducible: Didn't try Steps to Reproduce: Additional info:
Created attachment 113581 [details] Restrict Home V. 1
Created attachment 113861 [details] Makefile patch to detect lines containing USER USER expansion: Makefile.diff
Created attachment 113863 [details] Genhomedircon patch for USER expansion USER expansion: genhomedircon.diff Not sure if this is right way to do this, but it works...
Created attachment 113875 [details] Restrict Home patch v. 2
Created attachment 113878 [details] Restrict Home patch v. 3
Created attachment 113888 [details] Restrict Home patch v. 4 Funny how I can't attach that patch in enforcing mode...since mozilla can't read ROLE_home_t... will have to deal with that eventually.
Created attachment 114126 [details] ORBit2-SELinux patch to do matchpathcon on /tmp/orbit-$USER... With this patch, orbit-$USER is created with the proper type. I think I will submit the orbit part of the restrict home patch for inclusion now...
Created attachment 114135 [details] ORBit2-SELinux patch v. 2 - matchpathcon() failure not an error condition - add libORBit to the error messages to indicate where they are from
I am not sure this is the way we want to go. You will need to run orbit with a much higher privs. I think the path you were going down earlier of creating some kind of skel would be better. IE Setup /tmp/orbit at boot or when orbit starts up, with the proper context. Then have a file_type_trans rule for users who create files in /tmp/orbit. file_type_domain_trans(user_t, tmp_orbit_t, user_tmp_orbit_t) or something.
Bug Update (for anyone interested): Currently under discussion for inclusion: - miscellaneous mozilla/gift fixes - breakup of file_browse_domain - USER expansion - orbit macros - gconfd domain All attachments are obsolete, and need update - I will post re-synced patches as soon as we've figured out what needs to be merged. TODO: - Make genhomedircon expand <<none>> USER contexts - Figure out this denial: audit(1115741956.702:0): avc: denied { use } for path=pipe:[9850] dev=pipefs ino=9850 scontext=phantom:staff_r:staff_gconfd_t tcontext=system_u:system_r:xdm_t tclass=fd - Do something about gdm vs xdm: audit(1115741955.365:0): avc: denied { search } for name=.icons dev=dm-2 ino=324635 scontext=system_u:system_r:xdm_t tcontext=phantom:object_r:staff_gnome_data_t tclass=dir
Created attachment 114270 [details] 03-genhomedircon-USER.diff Upload fixed patch (This patchset is against 1.23.15-4)
Created attachment 114271 [details] 03-Makefile-USER.diff Upload fixed patch (This patchset is against 1.23.15-4)
Created attachment 114272 [details] 03-orbit.diff Upload fixed patch (This patchset is against 1.23.15-4)
Created attachment 114273 [details] 04-gconfd.diff Upload fixed patch (This patchset is against 1.23.15-4)
Created attachment 114274 [details] rest.fix.diff Upload fixed patch (This patchset is against 1.23.15-4)
Closing bug, because it's not working well as a tracker - patches in question are constantly out of date, and being resynced. Status before closing: Merged: 03-genhomedircon-USER.diff 03-Makefile-USER.diff Pending FC4: 03-orbit.diff ORBit2-SELinux patch v. 2 04-gconfd.diff Some fonts and mount_point things merged, others need to be fixed: rest.fix.diff ------ I will now work on getting the rest of this fixed and merged, and writing an evolution policy...