On Fri, 2012-11-30 at 11:27 -0800, Robin Lee Powell wrote:
On Fri, Nov 30, 2012 at 11:32:19AM -0500, Daniel J Walsh wrote:
> >> If you are looking to become a packager from dropbox in fedora,
> >> I can put you in contact with people who can help you out.
> >
> > *Definitely* not that. I'm happy to do much of the back-end
> > work, but I do *not* want the responsibility of actually
> > maintaining any packages; my life is full to bursting as it is.
> > Making all these AVC bug reports is about as much as I can
> > handle.
> >
> > Anyways, Dominick said in IRC that he wanted to see it and the
> > raw AVCs, so here it is, and Dan you can probably ignore it. It
> > is *not* polished, but I think it's a decent starting point.
> >
> Great, I would love to get this stuff into Fedora, and any help
> you can give is appreciated.
Well, the "fun" thing about dropbox is that you need to run one
daemon per each user, and each user has to interact with their
personal daemon to set up synch and so on. As such, I don't know
what a decent packaging of it would act like, even in theory. For
my own part, I've created a puppet definition that takes a user name
and installs a systemd definition for each dropbox user; once the
user does the manual synch steps, the daemon can take over and just
works.
Y'all are welcome to the puppet definition and the systemd template
if you think it'll help :), but honestly I think the best way to
handle it at the system packaging level is to just say "Here's the
daemon, here's some selinux policy, here's a man page that shows you
how to run the thing yourself".
-Robin
This is what i have so far. It seems to be a solid base on first sight:
policy_module(mydropbox, 1.0.0)
attribute dropbox_domain;
type dropbox_exec_t;
type dropbox_home_t;
userdom_user_home_content(dropbox_home_t)
type dropbox_tmp_t;
userdom_user_tmp_content(dropbox_tmp_t)
type dropbox_tmpfs_t;
userdom_user_tmpfs_content(dropbox_tmpfs_t)
type dropbox_port_t;
corenet_port(dropbox_port_t)
allow dropbox_domain self:capability dac_override; # mount
allow dropbox_domain self:netlink_route_socket r_netlink_socket_perms;
allow dropbox_domain self:process { execmem signal };
allow dropbox_domain self:shm create_shm_perms;
allow dropbox_domain self:tcp_socket create_stream_socket_perms;
allow dropbox_domain self:udp_socket create_socket_perms;
allow dropbox_domain dropbox_home_t:dir manage_dir_perms;
allow dropbox_domain dropbox_home_t:file manage_file_perms;
allow dropbox_domain dropbox_home_t:sock_file manage_sock_file_perms;
userdom_user_home_dir_filetrans(dropbox_domain, dropbox_home_t, dir,
".dropbox")
allow dropbox_domain dropbox_tmp_t:file { manage_file_perms mmap_file_perms };
files_tmp_filetrans(dropbox_domain, dropbox_tmp_t, file)
can_exec(dropbox_domain, dropbox_exec_t)
kernel_getattr_core_if(dropbox_domain)
corecmd_exec_shell(dropbox_domain)
corenet_tcp_bind_generic_node(dropbox_domain)
corenet_tcp_sendrecv_generic_if(dropbox_domain)
corenet_tcp_sendrecv_generic_node(dropbox_domain)
corenet_udp_bind_generic_node(dropbox_domain)
corenet_udp_sendrecv_generic_if(dropbox_domain)
corenet_udp_sendrecv_generic_node(dropbox_domain)
corenet_sendrecv_http_client_packets(dropbox_domain)
corenet_tcp_connect_http_port(dropbox_domain)
corenet_tcp_sendrecv_http_port(dropbox_domain)
allow dropbox_domain dropbox_port_t:{ tcp_socket udp_socket } name_bind; # temporary
workaround: 17500
dev_list_sysfs(dropbox_domain)
dev_read_sysfs(dropbox_domain)
dev_read_urand(dropbox_domain)
dev_dontaudit_getattr_all_blk_files(dropbox_domain) # panic
dev_dontaudit_getattr_all_chr_files(dropbox_domain) # panic
fs_getattr_tmpfs(dropbox_domain)
fs_getattr_xattr_fs(dropbox_domain)
fs_rw_inherited_tmpfs_files(dropbox_domain) # this is that xserver shm thing
auth_read_passwd(dropbox_domain)
init_getattr_initctl(dropbox_domain)
libs_exec_ldconfig(dropbox_domain)
mount_exec(dropbox_domain)
mount_manage_pid_files(dropbox_domain) # mount: read/write /run/mount/utab
sysnet_exec_ifconfig(dropbox_domain)
sysnet_read_config(dropbox_domain)
userdom_manage_user_home_content_dirs(dropbox_domain)
userdom_manage_user_home_content_files(dropbox_domain)
userdom_mmap_user_home_content_files(dropbox_domain) # libraries in ~/.dropbox-dist
userdom_user_home_dir_filetrans_user_home_content(dropbox_domain, dir) # cannot use named
file transition due to random names
userdom_use_inherited_user_terminals(dropbox_domain)
optional_policy(`
dbus_session_bus_client(dropbox_domain) # probably not actually optional
dbus_connect_session_bus(dropbox_domain) # probably not actually optional
')
optional_policy(`
gnome_read_home_config(dropbox_domain) # ibus, might not be optional
# hack
gen_require(`
type config_home_t;
')
allow dropbox_domain config_home_t:dir setattr_dir_perms;
')
policy_module(myuserdomain, 1.0.0)
gen_require(`
type unconfined_t;
role unconfined_r;
')
dropbox_role_template(unconfined, unconfined_r, unconfined_t)
## <summary>Dropbox is a free service that lets you bring all your photos, docs,
and videos anywhere.</summary>
#######################################
## <summary>
## The role template for the dropbox module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for window manager applications.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`dropbox_role_template',`
gen_require(`
attribute dropbox_domain;
type dropbox_exec_t, dropbox_home_t, dropbox_tmpfs_t;
')
########################################
#
# Declarations
#
type $1_dropbox_t, dropbox_domain;
userdom_user_application_domain($1_dropbox_t, dropbox_exec_t)
role $2 types $1_dropbox_t;
########################################
#
# Policy
#
domtrans_pattern($3, dropbox_exec_t, $1_dropbox_t)
ps_process_pattern($3, $1_dropbox_t)
allow $3 $1_dropbox_t:process { ptrace signal_perms };
allow $1_dropbox_t $3:process signull;
allow $1_dropbox_t $3:unix_stream_socket connectto;
allow $3 dropbox_exec_t:file { manage_file_perms relabel_file_perms };
userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropbox")
userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropboxd")
userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "library.zip")
allow $3 dropbox_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 dropbox_home_t:file { manage_file_perms relabel_file_perms };
allow $3 dropbox_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
userdom_user_home_dir_filetrans($3, dropbox_home_t, dir, ".dropbox")
kernel_read_system_state($1_dropbox_t)
corecmd_bin_domtrans($1_dropbox_t, $3)
corenet_all_recvfrom_unlabeled($1_dropbox_t)
corenet_all_recvfrom_netlabel($1_dropbox_t)
logging_send_syslog_msg($1_dropbox_t) # might want to make this conditional if possible
optional_policy(`
dropbox_dbus_chat($1, $3) # probably not actually optional
')
optional_policy(`
xserver_user_x_domain_template($1_dropbox, $1_dropbox_t, dropbox_tmpfs_t) # might not
be optional
')
')
########################################
## <summary>
## Send and receive messages from
## dropbox over dbus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dropbox_dbus_chat',`
gen_require(`
type $1_dropbox_t;
class dbus send_msg;
')
allow $2 $1_dropbox_t:dbus send_msg;
allow $1_dropbox_t $2:dbus send_msg;
')
## <summary></summary>
HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
HOME_DIR/\.dropbox-dist/dropbox(d)? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
HOME_DIR/\.dropbox-dist/library.zip -- gen_context(system_u:object_r:dropbox_exec_t,s0)
The above are two policy modules: mydropbox and myuserdomain
The my userdomain extents the unconfined_t domain to run dropbox in the dropbox domain
I havent tested/supported the nautilus plugin
You need to label the dropbox port manually after you installed above modules:
# semanage port -l | grep dropbox
dropbox_port_t tcp 17500
dropbox_port_t udp 17500
The way this works is:
In a clean home directory (no ~/Dropbox, ~/.dropbox, ~/.dropbox-dist) do:
cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" |
tar xzf -
cd ~/.dropbox-dist
./dropboxd
Then just follow the steps in the wizard
I only testing it with a existing account
I only tested it with a express setup (no customised locations)
Try it out and please give feed back so that we can improve it