Evolution - /var/spool and OpenOffice launching

Ted Rule ejtr at layer3.co.uk
Fri Oct 14 15:41:11 UTC 2005 

After some more trawling through the policy for dontaudit references, I
found that I needed to add the following:

allow user_t { user_tmp_t tmp_t}:sock_file { getattr };
allow user_evolution_t { user_tmp_t tmp_t}:sock_file { getattr };

in addition to my existing patch granting { create write unlink }
permissions to get OO to launch from Evo.

As mentioned before, it seems that OO launched from user_t creates the
socket as user_tmp_t, whereas when launched from user_evolution_t, OO
creates the socket as tmp_t. Hence there is possibly still some tidyup
to do to the evolution policy to make sure the socket is always created
user_tmp_t?

Now that I can launch OO from Evolution, another little problem has
become apparent. If I launch OO from Evo, then launch OO natively from
user_t, then close the native OO instance, I find that the
user_evolution_t OO instance can't be closed cleanly. The process list
before trying to close either shows two different copies of swriter.bin
in user_t and user_evolution_t domains, but of course the sock_file
appears to be shared by both instances with the same filename. Some more
experimentation may reveal how to tweak SELinux to allow for a clean
close of both instances, but I would imagine this is at best a fudge.



On Fri, 2005-10-14 at 14:05 +0100, Ted Rule wrote: 
> I have a couple of problems with Evolution/OpenOffice running on
> FC4/strict with policy:
> 
> selinux-policy-strict-sources-1.27.1-2.3
> 
> The first, relatively simple, issue is that the user_evolution_t policy
> doesn't seem to have provision for reading /var/spool/mail. I have
> sendmail setup to forward root mail to my local non-root account, and
> then Evolution setup to read the ensuing Unix mail spool locally in
> addition to my remote IMAP/POP3 accounts.
> 
> The extra var_spool_t and mail_spool_t policy listed below seems to do
> the trick, though obviously a more complete solution would require
> proper "macro-ising" to take account of staff_evolution_t and so on.
> 
> As far as I can tell, there isn't a boolean switch to allow for this.
> 
> 
> The second, slightly more intractable problem is that of
> OpenOffice/Evolution integration.
> 
> I have the allow_execmem boolean enabled to allow for a plain launch of
> OpenOffice, but I find that an additional execmem policy - see below -
> is needed to allow for the launch of OO from within Evolution's
> "attachment view dialog" as it now has its own user_evolution_t domain
> which seems to ignore the allow_execmem boolean.
> 
> The execmem policy is still not sufficient to allow me to launch OO from
> Evolution. I've added some extra policy to cope with denial messages
> that I've seen for this socket file
> 
> /tmp/OSL_PIPE_500_SingleOfficeIPC_2df8e6ac565346ee4ccc8ac992ddaa83
> 
> which OO creates, but this is still not enough to make OO fire up.
> 
> The socket created by OO appears to get left behind once OO has
> finished, which makes me suspect that part of the problem is that the
> socket has a different file_context when created from user_t as opposed
> to user_evolution_t.
> 
> With my current patched policy, I get no further SELinux denial
> messages, so debugging the problem has become trickier. Presumably there
> is a dontaudit policy somewhere suppressing the error message I'm
> interested in, but I haven't tracked it down yet.
> 
> Any suggestions, folks?
> 
> 
> Current patches to strict policy:
> 
> =================================================================
> 
> 
> cat /etc/selinux/strict/src/policy/domains/program/localpolicy.te
> # Miscellaneous Local SELinux policy not
> # covered by other .te configuration
> ...
> 
> ##############################################################
> # Patch to allow Evolution to read home mail spools
> # Seemingly still required as not included in default policy
> allow user_evolution_t var_spool_t:dir { search };
> allow user_evolution_t mail_spool_t:dir { read getattr search };
> allow user_evolution_t mail_spool_t:file { read getattr write };
> 
> ...
> 
> #############################################################
> # Patch to allow Evolution to launch OpenOffice....
> allow user_evolution_t self:process { execmem };
> auditallow user_evolution_t self:process { execmem };
> 
> #############################################################
> # Patch to allow OpenOffice to write to a temporary socket....
> allow user_t { user_tmp_t tmp_t}:sock_file { create write unlink };
> auditallow user_t { user_tmp_t tmp_t}:sock_file { create write unlink };
> 
> ...
> 
> # Patches to allow OpenOffice to write to a temporary socket....from
> Evolution
> allow user_evolution_t { user_tmp_t tmp_t}:sock_file { create write
> unlink };
> auditallow user_evolution_t { user_tmp_t tmp_t}:sock_file { create write
> unlink };
> 
> 

-- 
Ted Rule

Director, Layer3 Systems Ltd

E: ejtr at layer3.co.uk
M: 07770 431471
W: http://www.layer3.co.uk/

More information about the selinux mailing list