On 08/12/2016 02:27 PM, Antoine Martin wrote:
>>>> We could try to label xpra by a label to get it running in a different
>>>> CUPS domain.
>>>>
> (snip)
>>>
>>> So maybe do something similar to cups_pdf_exec_t for xpraforwarder, with
>>> the extra privileges needed for accessing the socket?
>>
>> Yes, I was looking for the backend. Could you try to label the backend
>> by cups_pdf_exec_t to see how it works?
> That didn't work, but this does:
> chcon -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder
> And then load this module on top:
>
> module xpraforwarder 1.0;
> require {
> type user_tmp_t;
> type cups_pdf_t;
> type unconfined_t;
> class unix_dgram_socket create;
> class unix_dgram_socket connect;
> class sock_file write;
> class unix_stream_socket connectto;
> }
> allow cups_pdf_t self:unix_dgram_socket { create connect };
> allow cups_pdf_t user_tmp_t:sock_file write;
> allow cups_pdf_t unconfined_t:unix_stream_socket connectto;
>
> Full details here:
> http://xpra.org/trac/ticket/815#comment:7
>
> I then tried to extract the bits from the cups / cups_pdf policy to try
> to come with something more self-contained for xpra and although I did
> come up with something that works OK and does not depend on cups_pdf_t,
> the resulting policy is a lot bigger than I would like (but it works!):
> http://xpra.org/trac/changeset/13317
>
> Any feedback would be most appreciated, I'm sure there are glaring
> mistakes in there.
> I often find myself wondering how I can reduce those long winded
> statements to more helpful macros - that is, without spending hours
> figuring it all out. How can I get it done more efficiently?
You can use
"policy_module(cups_xpra, 1.0)"
which means you generate module policy using reference policy and you
don't need to require all these classes with permissions. Together that
look for *.if to avoid the "require" section if possible.
So for example
----
policy_module(cups_xpra, 1.0)
type cups_xpra_t;
type cups_xpra_exec_t;
cups_backend(cups_xpra_t, cups_xpra_exec_t)
#
# interfaces are placed in /usr/share/selinux/devel/
#
unconfined_stream_connect(cups_xpra_t)
---
and
# make -f /usr/share/selinux/devel/Makefile cups_xpra.pp
# semodule -i cups_xpra.pp
Also https://github.com/TresysTechnology/refpolicy/wiki could be helpful.
>
> Thanks
> Antoine
>
>
>>
>> Thank you.
>>
>>>
>>> Thanks
>>> Antoine
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>
>>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
