Evolution - /var/spool and OpenOffice launching

Fri Oct 14 13:05:02 UTC 2005

I have a couple of problems with Evolution/OpenOffice running on
FC4/strict with policy:

selinux-policy-strict-sources-1.27.1-2.3

The first, relatively simple, issue is that the user_evolution_t policy
doesn't seem to have provision for reading /var/spool/mail. I have
sendmail setup to forward root mail to my local non-root account, and
then Evolution setup to read the ensuing Unix mail spool locally in
addition to my remote IMAP/POP3 accounts.

The extra var_spool_t and mail_spool_t policy listed below seems to do
the trick, though obviously a more complete solution would require
proper "macro-ising" to take account of staff_evolution_t and so on.

As far as I can tell, there isn't a boolean switch to allow for this.

The second, slightly more intractable problem is that of
OpenOffice/Evolution integration.

I have the allow_execmem boolean enabled to allow for a plain launch of
OpenOffice, but I find that an additional execmem policy - see below -
is needed to allow for the launch of OO from within Evolution's
"attachment view dialog" as it now has its own user_evolution_t domain
which seems to ignore the allow_execmem boolean.

The execmem policy is still not sufficient to allow me to launch OO from
Evolution. I've added some extra policy to cope with denial messages
that I've seen for this socket file

/tmp/OSL_PIPE_500_SingleOfficeIPC_2df8e6ac565346ee4ccc8ac992ddaa83

which OO creates, but this is still not enough to make OO fire up.

The socket created by OO appears to get left behind once OO has
finished, which makes me suspect that part of the problem is that the
socket has a different file_context when created from user_t as opposed
to user_evolution_t.

With my current patched policy, I get no further SELinux denial
messages, so debugging the problem has become trickier. Presumably there
is a dontaudit policy somewhere suppressing the error message I'm
interested in, but I haven't tracked it down yet.

Any suggestions, folks?

Current patches to strict policy:

=================================================================

cat /etc/selinux/strict/src/policy/domains/program/localpolicy.te
# Miscellaneous Local SELinux policy not
# covered by other .te configuration
...

##############################################################
# Patch to allow Evolution to read home mail spools
# Seemingly still required as not included in default policy
allow user_evolution_t var_spool_t:dir { search };
allow user_evolution_t mail_spool_t:dir { read getattr search };
allow user_evolution_t mail_spool_t:file { read getattr write };

...

#############################################################
# Patch to allow Evolution to launch OpenOffice....
allow user_evolution_t self:process { execmem };
auditallow user_evolution_t self:process { execmem };

#############################################################
# Patch to allow OpenOffice to write to a temporary socket....
allow user_t { user_tmp_t tmp_t}:sock_file { create write unlink };
auditallow user_t { user_tmp_t tmp_t}:sock_file { create write unlink };

...

# Patches to allow OpenOffice to write to a temporary socket....from
Evolution
allow user_evolution_t { user_tmp_t tmp_t}:sock_file { create write
unlink };
auditallow user_evolution_t { user_tmp_t tmp_t}:sock_file { create write
unlink };

-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/