On Fri, 2012-11-30 at 11:27 -0800, Robin Lee Powell wrote:
> On Fri, Nov 30, 2012 at 11:32:19AM -0500, Daniel J Walsh wrote:
> > >> If you are looking to become a packager from dropbox in fedora,
> > >> I can put you in contact with people who can help you out.
> > >
> > > *Definitely* not that. I'm happy to do much of the back-end
> > > work, but I do *not* want the responsibility of actually
> > > maintaining any packages; my life is full to bursting as it is.
> > > Making all these AVC bug reports is about as much as I can
> > > handle.
> > >
> > > Anyways, Dominick said in IRC that he wanted to see it and the
> > > raw AVCs, so here it is, and Dan you can probably ignore it. It
> > > is *not* polished, but I think it's a decent starting point.
> > >
> > Great, I would love to get this stuff into Fedora, and any help
> > you can give is appreciated.
>
> Well, the "fun" thing about dropbox is that you need to run one
> daemon per each user, and each user has to interact with their
> personal daemon to set up synch and so on. As such, I don't know
> what a decent packaging of it would act like, even in theory. For
> my own part, I've created a puppet definition that takes a user name
> and installs a systemd definition for each dropbox user; once the
> user does the manual synch steps, the daemon can take over and just
> works.
>
> Y'all are welcome to the puppet definition and the systemd template
> if you think it'll help :), but honestly I think the best way to
> handle it at the system packaging level is to just say "Here's the
> daemon, here's some selinux policy, here's a man page that shows you
> how to run the thing yourself".
>
> -Robin
This is what i have so far. It seems to be a solid base on first sight:
> policy_module(mydropbox, 1.0.0)
>
> attribute dropbox_domain;
>
> type dropbox_exec_t;
>
> type dropbox_home_t;
> userdom_user_home_content(dropbox_home_t)
>
> type dropbox_tmp_t;
> userdom_user_tmp_content(dropbox_tmp_t)
>
> type dropbox_tmpfs_t;
> userdom_user_tmpfs_content(dropbox_tmpfs_t)
>
> type dropbox_port_t;
> corenet_port(dropbox_port_t)
>
> allow dropbox_domain self:capability dac_override; # mount
> allow dropbox_domain self:netlink_route_socket r_netlink_socket_perms;
> allow dropbox_domain self:process { execmem signal };
> allow dropbox_domain self:shm create_shm_perms;
> allow dropbox_domain self:tcp_socket create_stream_socket_perms;
> allow dropbox_domain self:udp_socket create_socket_perms;
>
> allow dropbox_domain dropbox_home_t:dir manage_dir_perms;
> allow dropbox_domain dropbox_home_t:file manage_file_perms;
> allow dropbox_domain dropbox_home_t:sock_file manage_sock_file_perms;
> userdom_user_home_dir_filetrans(dropbox_domain, dropbox_home_t, dir, ".dropbox")
>
> allow dropbox_domain dropbox_tmp_t:file { manage_file_perms mmap_file_perms };
> files_tmp_filetrans(dropbox_domain, dropbox_tmp_t, file)
>
> can_exec(dropbox_domain, dropbox_exec_t)
>
> kernel_getattr_core_if(dropbox_domain)
>
> corecmd_exec_shell(dropbox_domain)
>
> corenet_tcp_bind_generic_node(dropbox_domain)
> corenet_tcp_sendrecv_generic_if(dropbox_domain)
> corenet_tcp_sendrecv_generic_node(dropbox_domain)
> corenet_udp_bind_generic_node(dropbox_domain)
> corenet_udp_sendrecv_generic_if(dropbox_domain)
> corenet_udp_sendrecv_generic_node(dropbox_domain)
>
> corenet_sendrecv_http_client_packets(dropbox_domain)
> corenet_tcp_connect_http_port(dropbox_domain)
> corenet_tcp_sendrecv_http_port(dropbox_domain)
>
> allow dropbox_domain dropbox_port_t:{ tcp_socket udp_socket } name_bind; # temporary workaround: 17500
>
> dev_list_sysfs(dropbox_domain)
> dev_read_sysfs(dropbox_domain)
> dev_read_urand(dropbox_domain)
>
> dev_dontaudit_getattr_all_blk_files(dropbox_domain) # panic
> dev_dontaudit_getattr_all_chr_files(dropbox_domain) # panic
>
> fs_getattr_tmpfs(dropbox_domain)
> fs_getattr_xattr_fs(dropbox_domain)
> fs_rw_inherited_tmpfs_files(dropbox_domain) # this is that xserver shm thing
>
> auth_read_passwd(dropbox_domain)
>
> init_getattr_initctl(dropbox_domain)
>
> libs_exec_ldconfig(dropbox_domain)
>
> mount_exec(dropbox_domain)
> mount_manage_pid_files(dropbox_domain) # mount: read/write /run/mount/utab
>
> sysnet_exec_ifconfig(dropbox_domain)
> sysnet_read_config(dropbox_domain)
>
> userdom_manage_user_home_content_dirs(dropbox_domain)
> userdom_manage_user_home_content_files(dropbox_domain)
> userdom_mmap_user_home_content_files(dropbox_domain) # libraries in ~/.dropbox-dist
> userdom_user_home_dir_filetrans_user_home_content(dropbox_domain, dir) # cannot use named file transition due to random names
> userdom_use_inherited_user_terminals(dropbox_domain)
>
> optional_policy(`
> dbus_session_bus_client(dropbox_domain) # probably not actually optional
> dbus_connect_session_bus(dropbox_domain) # probably not actually optional
> ')
>
> optional_policy(`
> gnome_read_home_config(dropbox_domain) # ibus, might not be optional
>
> # hack
> gen_require(`
> type config_home_t;
> ')
>
> allow dropbox_domain config_home_t:dir setattr_dir_perms;
> ')
> policy_module(myuserdomain, 1.0.0)
>
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> dropbox_role_template(unconfined, unconfined_r, unconfined_t)
> ## <summary>Dropbox is a free service that lets you bring all your photos, docs, and videos anywhere.</summary>
>
> #######################################
> ## <summary>
> ## The role template for the dropbox module.
> ## </summary>
> ## <desc>
> ## <p>
> ## This template creates a derived domains which are used
> ## for window manager applications.
> ## </p>
> ## </desc>
> ## <param name="role_prefix">
> ## <summary>
> ## The prefix of the user domain (e.g., user
> ## is the prefix for user_t).
> ## </summary>
> ## </param>
> ## <param name="user_role">
> ## <summary>
> ## The role associated with the user domain.
> ## </summary>
> ## </param>
> ## <param name="user_domain">
> ## <summary>
> ## The type of the user domain.
> ## </summary>
> ## </param>
> #
> template(`dropbox_role_template',`
> gen_require(`
> attribute dropbox_domain;
> type dropbox_exec_t, dropbox_home_t, dropbox_tmpfs_t;
> ')
>
> ########################################
> #
> # Declarations
> #
>
> type $1_dropbox_t, dropbox_domain;
> userdom_user_application_domain($1_dropbox_t, dropbox_exec_t)
> role $2 types $1_dropbox_t;
>
> ########################################
> #
> # Policy
> #
>
> domtrans_pattern($3, dropbox_exec_t, $1_dropbox_t)
>
> ps_process_pattern($3, $1_dropbox_t)
> allow $3 $1_dropbox_t:process { ptrace signal_perms };
>
> allow $1_dropbox_t $3:process signull;
> allow $1_dropbox_t $3:unix_stream_socket connectto;
>
> allow $3 dropbox_exec_t:file { manage_file_perms relabel_file_perms };
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropbox")
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropboxd")
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "library.zip")
>
> allow $3 dropbox_home_t:dir { manage_dir_perms relabel_dir_perms };
> allow $3 dropbox_home_t:file { manage_file_perms relabel_file_perms };
> allow $3 dropbox_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> userdom_user_home_dir_filetrans($3, dropbox_home_t, dir, ".dropbox")
>
> kernel_read_system_state($1_dropbox_t)
>
> corecmd_bin_domtrans($1_dropbox_t, $3)
>
> corenet_all_recvfrom_unlabeled($1_dropbox_t)
> corenet_all_recvfrom_netlabel($1_dropbox_t)
>
> logging_send_syslog_msg($1_dropbox_t) # might want to make this conditional if possible
>
> optional_policy(`
> dropbox_dbus_chat($1, $3) # probably not actually optional
> ')
>
> optional_policy(`
> xserver_user_x_domain_template($1_dropbox, $1_dropbox_t, dropbox_tmpfs_t) # might not be optional
> ')
> ')
>
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## dropbox over dbus.
> ## </summary>
> ## <param name="role_prefix">
> ## <summary>
> ## The prefix of the user domain (e.g., user
> ## is the prefix for user_t).
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`dropbox_dbus_chat',`
> gen_require(`
> type $1_dropbox_t;
> class dbus send_msg;
> ')
>
> allow $2 $1_dropbox_t:dbus send_msg;
> allow $1_dropbox_t $2:dbus send_msg;
> ')
> ## <summary></summary>
> HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
> HOME_DIR/\.dropbox-dist/dropbox(d)? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
> HOME_DIR/\.dropbox-dist/library.zip -- gen_context(system_u:object_r:dropbox_exec_t,s0)
The above are two policy modules: mydropbox and myuserdomain
The my userdomain extents the unconfined_t domain to run dropbox in the dropbox domain
I havent tested/supported the nautilus plugin
You need to label the dropbox port manually after you installed above modules:
# semanage port -l | grep dropbox
dropbox_port_t tcp 17500
dropbox_port_t udp 17500
The way this works is:
In a clean home directory (no ~/Dropbox, ~/.dropbox, ~/.dropbox-dist) do:
cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64"; | tar xzf -
cd ~/.dropbox-dist
./dropboxd
Then just follow the steps in the wizard
I only testing it with a existing account
I only tested it with a express setup (no customised locations)
Try it out and please give feed back so that we can improve it
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
