Not sure who else to send this to...

grift dominick.grift at gmail.com
Fri Nov 30 21:43:07 UTC 2012 

On Fri, 2012-11-30 at 11:27 -0800, Robin Lee Powell wrote:
> On Fri, Nov 30, 2012 at 11:32:19AM -0500, Daniel J Walsh wrote:
> > >> If you are looking to become a packager from dropbox in fedora,
> > >> I can put you in contact with people who can help you out.
> > > 
> > > *Definitely* not that.  I'm happy to do much of the back-end
> > > work, but I do *not* want the responsibility of actually
> > > maintaining any packages; my life is full to bursting as it is.
> > > Making all these AVC bug reports is about as much as I can
> > > handle.
> > > 
> > > Anyways, Dominick said in IRC that he wanted to see it and the
> > > raw AVCs, so here it is, and Dan you can probably ignore it.  It
> > > is *not* polished, but I think it's a decent starting point.
> > > 
> > Great, I would love to get this stuff into Fedora, and any help
> > you can give is appreciated.
> 
> Well, the "fun" thing about dropbox is that you need to run one
> daemon per each user, and each user has to interact with their
> personal daemon to set up synch and so on.  As such, I don't know
> what a decent packaging of it would act like, even in theory.  For
> my own part, I've created a puppet definition that takes a user name
> and installs a systemd definition for each dropbox user; once the
> user does the manual synch steps, the daemon can take over and just
> works.
> 
> Y'all are welcome to the puppet definition and the systemd template
> if you think it'll help :), but honestly I think the best way to
> handle it at the system packaging level is to just say "Here's the
> daemon, here's some selinux policy, here's a man page that shows you
> how to run the thing yourself".
> 
> -Robin

This is what i have so far. It seems to be a solid base on first sight:

> policy_module(mydropbox, 1.0.0)
> 
> attribute dropbox_domain;
> 
> type dropbox_exec_t;
> 
> type dropbox_home_t;
> userdom_user_home_content(dropbox_home_t)
> 
> type dropbox_tmp_t;
> userdom_user_tmp_content(dropbox_tmp_t)
> 
> type dropbox_tmpfs_t;
> userdom_user_tmpfs_content(dropbox_tmpfs_t)
> 
> type dropbox_port_t;
> corenet_port(dropbox_port_t)
> 
> allow dropbox_domain self:capability dac_override; # mount
> allow dropbox_domain self:netlink_route_socket r_netlink_socket_perms;
> allow dropbox_domain self:process { execmem signal };
> allow dropbox_domain self:shm create_shm_perms;
> allow dropbox_domain self:tcp_socket create_stream_socket_perms;
> allow dropbox_domain self:udp_socket create_socket_perms;
> 
> allow dropbox_domain dropbox_home_t:dir manage_dir_perms;
> allow dropbox_domain dropbox_home_t:file manage_file_perms;
> allow dropbox_domain dropbox_home_t:sock_file manage_sock_file_perms;
> userdom_user_home_dir_filetrans(dropbox_domain, dropbox_home_t, dir, ".dropbox")
> 
> allow dropbox_domain dropbox_tmp_t:file { manage_file_perms mmap_file_perms };
> files_tmp_filetrans(dropbox_domain, dropbox_tmp_t, file)
> 
> can_exec(dropbox_domain, dropbox_exec_t)
> 
> kernel_getattr_core_if(dropbox_domain)
> 
> corecmd_exec_shell(dropbox_domain)
> 
> corenet_tcp_bind_generic_node(dropbox_domain)
> corenet_tcp_sendrecv_generic_if(dropbox_domain)
> corenet_tcp_sendrecv_generic_node(dropbox_domain)
> corenet_udp_bind_generic_node(dropbox_domain)
> corenet_udp_sendrecv_generic_if(dropbox_domain)
> corenet_udp_sendrecv_generic_node(dropbox_domain)
> 
> corenet_sendrecv_http_client_packets(dropbox_domain)
> corenet_tcp_connect_http_port(dropbox_domain)
> corenet_tcp_sendrecv_http_port(dropbox_domain)
> 
> allow dropbox_domain dropbox_port_t:{ tcp_socket udp_socket } name_bind; # temporary workaround: 17500
> 
> dev_list_sysfs(dropbox_domain)
> dev_read_sysfs(dropbox_domain)
> dev_read_urand(dropbox_domain)
> 
> dev_dontaudit_getattr_all_blk_files(dropbox_domain) # panic
> dev_dontaudit_getattr_all_chr_files(dropbox_domain) # panic
> 
> fs_getattr_tmpfs(dropbox_domain)
> fs_getattr_xattr_fs(dropbox_domain)
> fs_rw_inherited_tmpfs_files(dropbox_domain) # this is that xserver shm thing
> 
> auth_read_passwd(dropbox_domain)
> 
> init_getattr_initctl(dropbox_domain)
> 
> libs_exec_ldconfig(dropbox_domain)
> 
> mount_exec(dropbox_domain)
> mount_manage_pid_files(dropbox_domain) # mount: read/write /run/mount/utab
> 
> sysnet_exec_ifconfig(dropbox_domain)
> sysnet_read_config(dropbox_domain)
> 
> userdom_manage_user_home_content_dirs(dropbox_domain)
> userdom_manage_user_home_content_files(dropbox_domain)
> userdom_mmap_user_home_content_files(dropbox_domain) # libraries in ~/.dropbox-dist
> userdom_user_home_dir_filetrans_user_home_content(dropbox_domain, dir) # cannot use named file transition due to random names
> userdom_use_inherited_user_terminals(dropbox_domain)
> 
> optional_policy(`
> 	dbus_session_bus_client(dropbox_domain) # probably not actually optional
> 	dbus_connect_session_bus(dropbox_domain) # probably not actually optional
> ')
> 
> optional_policy(`
> 	gnome_read_home_config(dropbox_domain) # ibus, might not be optional
> 
> 	# hack
> 	gen_require(`
> 		type config_home_t;
> 	')
> 
> 	allow dropbox_domain config_home_t:dir setattr_dir_perms;
> ')
> policy_module(myuserdomain, 1.0.0)
> 
> gen_require(`
> 	type unconfined_t;
> 	role unconfined_r;
> ')
> 
> dropbox_role_template(unconfined, unconfined_r, unconfined_t)
> ## <summary>Dropbox is a free service that lets you bring all your photos, docs, and videos anywhere.</summary>
> 
> #######################################
> ## <summary>
> ##	The role template for the dropbox module.
> ## </summary>
> ## <desc>
> ##	<p>
> ##	This template creates a derived domains which are used
> ##	for window manager applications.
> ##	</p>
> ## </desc>
> ## <param name="role_prefix">
> ##	<summary>
> ##	The prefix of the user domain (e.g., user
> ##	is the prefix for user_t).
> ##	</summary>
> ## </param>
> ## <param name="user_role">
> ##	<summary>
> ##	The role associated with the user domain.
> ##	</summary>
> ## </param>
> ## <param name="user_domain">
> ##	<summary>
> ##	The type of the user domain.
> ##	</summary>
> ## </param>
> #
> template(`dropbox_role_template',`
> 	gen_require(`
> 		attribute dropbox_domain;
> 		type dropbox_exec_t, dropbox_home_t, dropbox_tmpfs_t;
> 	')
> 
> 	########################################
> 	#
> 	# Declarations
> 	#
> 
> 	type $1_dropbox_t, dropbox_domain;
> 	userdom_user_application_domain($1_dropbox_t, dropbox_exec_t)
> 	role $2 types $1_dropbox_t;
> 
> 	########################################
> 	#
> 	# Policy
> 	#
> 
> 	domtrans_pattern($3, dropbox_exec_t, $1_dropbox_t)
> 
> 	ps_process_pattern($3, $1_dropbox_t)
> 	allow $3 $1_dropbox_t:process { ptrace signal_perms };
> 
> 	allow $1_dropbox_t $3:process signull;
> 	allow $1_dropbox_t $3:unix_stream_socket connectto;
> 
> 	allow $3 dropbox_exec_t:file { manage_file_perms relabel_file_perms };
> 	userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropbox")
> 	userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropboxd")
> 	userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "library.zip")
> 
> 	allow $3 dropbox_home_t:dir { manage_dir_perms relabel_dir_perms };
> 	allow $3 dropbox_home_t:file { manage_file_perms relabel_file_perms };
> 	allow $3 dropbox_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> 	userdom_user_home_dir_filetrans($3, dropbox_home_t, dir, ".dropbox")
> 
> 	kernel_read_system_state($1_dropbox_t)
> 
> 	corecmd_bin_domtrans($1_dropbox_t, $3)
> 
> 	corenet_all_recvfrom_unlabeled($1_dropbox_t)
> 	corenet_all_recvfrom_netlabel($1_dropbox_t)
> 
> 	logging_send_syslog_msg($1_dropbox_t) # might want to make this conditional if possible
> 
> 	optional_policy(`
> 		dropbox_dbus_chat($1, $3) # probably not actually optional
> 	')
> 
> 	optional_policy(`
> 		xserver_user_x_domain_template($1_dropbox, $1_dropbox_t, dropbox_tmpfs_t) # might not be optional
> 	')
> ')
> 
> ########################################
> ## <summary>
> ##	Send and receive messages from
> ##	dropbox over dbus.
> ## </summary>
> ## <param name="role_prefix">
> ##	<summary>
> ##	The prefix of the user domain (e.g., user
> ##	is the prefix for user_t).
> ##	</summary>
> ## </param>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`dropbox_dbus_chat',`
> 	gen_require(`
> 		type $1_dropbox_t;
> 		class dbus send_msg;
> 	')
> 
> 	allow $2 $1_dropbox_t:dbus send_msg;
> 	allow $1_dropbox_t $2:dbus send_msg;
> ')
> ## <summary></summary>
> HOME_DIR/\.dropbox(/.*)?	gen_context(system_u:object_r:dropbox_home_t,s0)
> HOME_DIR/\.dropbox-dist/dropbox(d)?	--	gen_context(system_u:object_r:dropbox_exec_t,s0)
> HOME_DIR/\.dropbox-dist/library.zip	--	gen_context(system_u:object_r:dropbox_exec_t,s0)

The above are two policy modules: mydropbox and myuserdomain
The my userdomain extents the unconfined_t domain to run dropbox in the dropbox domain

I havent tested/supported the nautilus plugin

You need to label the dropbox port manually after you installed above modules:

# semanage port -l | grep dropbox
dropbox_port_t                 tcp      17500
dropbox_port_t                 udp      17500

The way this works is:

In a clean home directory (no ~/Dropbox, ~/.dropbox, ~/.dropbox-dist) do:

cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
cd ~/.dropbox-dist
./dropboxd

Then just follow the steps in the wizard

I only testing it with a existing account
I only tested it with a express setup (no customised locations)

Try it out and please give feed back so that we can improve it

More information about the selinux mailing list