Binary installations of firefox provide binaries in /opt/firefox by default.
Also, binary can be in /usr/bin (but most often this is a script that calls
the binary in /opt/firefox). In both cases, this needs to be marked as
mozilla_exec_t too.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/mozilla.fc | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529..ad59444 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
#
+/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+#
+# /opt
+#
+/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--
1.7.3.4
On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote:
> Binary installations of firefox provide binaries in /opt/firefox by default.
>
> Also, binary can be in /usr/bin (but most often this is a script that calls
> the binary in /opt/firefox). In both cases, this needs to be marked as
> mozilla_exec_t too.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/mozilla.fc | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
> index 93ac529..ad59444 100644
> --- a/policy/modules/apps/mozilla.fc
> +++ b/policy/modules/apps/mozilla.fc
> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> #
> # /bin
> #
> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
I think the -bin would hardly get anywhere outside of the firefox
directory (independently of where that is) unless one works very hard
towards that.
> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +
> +#
> +# /opt
> +#
> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
The idea sounds desirable to me ! But apart from the second and the
fourth elements, I had anything else labelled generically bin_t and
lib_t and I wasn't experiencing problems...
Text relocations aren't that good (libxul.so) as far as I know. Is it
not possible to get rid of them ? I think I could avoid that on a test
system.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/09/2011 11:39 PM, Guido Trentalancia wrote:
> On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote:
>> Binary installations of firefox provide binaries in /opt/firefox by default.
>>
>> Also, binary can be in /usr/bin (but most often this is a script that calls
>> the binary in /opt/firefox). In both cases, this needs to be marked as
>> mozilla_exec_t too.
>>
>> Signed-off-by: Sven Vermeulen <[email protected]>
>> ---
>> policy/modules/apps/mozilla.fc | 10 ++++++++++
>> 1 files changed, 10 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
>> index 93ac529..ad59444 100644
>> --- a/policy/modules/apps/mozilla.fc
>> +++ b/policy/modules/apps/mozilla.fc
>> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
>> #
>> # /bin
>> #
>> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>
> I think the -bin would hardly get anywhere outside of the firefox
> directory (independently of where that is) unless one works very hard
> towards that.
>
>> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
>> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> +
>> +#
>> +# /opt
>> +#
>> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
>
> The idea sounds desirable to me ! But apart from the second and the
> fourth elements, I had anything else labelled generically bin_t and
> lib_t and I wasn't experiencing problems...
The textrel_shlib_t does not belong in mozillas file context file. I
think its libraries.
Besides that i am unable to confirm the libxul needs text relocations on
my f14 config i believe.
> Text relocations aren't that good (libxul.so) as far as I know. Is it
> not possible to get rid of them ? I think I could avoid that on a test
> system.
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk14i14ACgkQMlxVo39jgT/sXgCgryOkE7zDNz4k6Du3PvfBGG7D
V2UAn1xsn+Va5rPuXWMPr65HXYw6kf5S
=2f4O
-----END PGP SIGNATURE-----
On Thu, 10/03/2011 at 09.27 +0100, Dominick Grift wrote:
> On 03/09/2011 11:39 PM, Guido Trentalancia wrote:
> > On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote:
> >> Binary installations of firefox provide binaries in /opt/firefox by default.
> >>
> >> Also, binary can be in /usr/bin (but most often this is a script that calls
> >> the binary in /opt/firefox). In both cases, this needs to be marked as
> >> mozilla_exec_t too.
> >>
> >> Signed-off-by: Sven Vermeulen <[email protected]>
> >> ---
> >> policy/modules/apps/mozilla.fc | 10 ++++++++++
> >> 1 files changed, 10 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
> >> index 93ac529..ad59444 100644
> >> --- a/policy/modules/apps/mozilla.fc
> >> +++ b/policy/modules/apps/mozilla.fc
> >> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> >> #
> >> # /bin
> >> #
> >> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >
> > I think the -bin would hardly get anywhere outside of the firefox
> > directory (independently of where that is) unless one works very hard
> > towards that.
> >
> >> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> >> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +
> >> +#
> >> +# /opt
> >> +#
> >> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> >> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >
> > The idea sounds desirable to me ! But apart from the second and the
> > fourth elements, I had anything else labelled generically bin_t and
> > lib_t and I wasn't experiencing problems...
>
> The textrel_shlib_t does not belong in mozillas file context file. I
> think its libraries.
Yes, of course.
> Besides that i am unable to confirm the libxul needs text relocations on
> my f14 config i believe.
>
> > Text relocations aren't that good (libxul.so) as far as I know. Is it
> > not possible to get rid of them ? I think I could avoid that on a test
> > system.
Plain F14 policy has text relocations for libxul.so but does that
privately. Text relocations are bad if they can be avoided and usually
that is the case. Now we have at least two confirmed cases that this is
possible (me and you)...
Regards,
Guido
On Thu, Mar 10, 2011 at 01:02:03PM +0100, Guido Trentalancia wrote:
> Plain F14 policy has text relocations for libxul.so but does that
> privately. Text relocations are bad if they can be avoided and usually
> that is the case. Now we have at least two confirmed cases that this is
> possible (me and you)...
I believe that the textrel_shlib_t is needed if you use the 32-bit binary
distribution as offered by Mozilla (for firefox), not if it is built from
source.
I'll build a firefox here and give feedback.
In any case, you're correct in that textrel_shlib_t contexts should be
considered in the libraries.fc one instead. But I'll first see if I can
confirm if it is always necessary or only in particular situations.
Wkr,
Sven Vermeulen
On Thu, Mar 10, 2011 at 02:37:05PM +0100, Sven Vermeulen wrote:
> I believe that the textrel_shlib_t is needed if you use the 32-bit binary
> distribution as offered by Mozilla (for firefox), not if it is built from
> source.
>
> I'll build a firefox here and give feedback.
Indeed, using a self-built firefox rather than the distributed binaries
requires no textrel_shlib_t on the libxul.so file (or any other related
one).
Wkr,
Sven Vermeulen
On Thu, 10/03/2011 at 14.37 +0100, Sven Vermeulen wrote:
> On Thu, Mar 10, 2011 at 01:02:03PM +0100, Guido Trentalancia wrote:
> > Plain F14 policy has text relocations for libxul.so but does that
> > privately. Text relocations are bad if they can be avoided and usually
> > that is the case. Now we have at least two confirmed cases that this is
> > possible (me and you)...
>
> I believe that the textrel_shlib_t is needed if you use the 32-bit binary
> distribution as offered by Mozilla (for firefox), not if it is built from
> source.
Perhaps someone could drop a note to mozilla.org ? When I build it, I
don't even need to pass the -fPIC flag and it does not require text
relocations...
> I'll build a firefox here and give feedback.
>
> In any case, you're correct in that textrel_shlib_t contexts should be
> considered in the libraries.fc one instead. But I'll first see if I can
> confirm if it is always necessary or only in particular situations.
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
On Thu, 10/03/2011 at 15.10 +0100, Sven Vermeulen wrote:
> On Thu, Mar 10, 2011 at 02:37:05PM +0100, Sven Vermeulen wrote:
> > I believe that the textrel_shlib_t is needed if you use the 32-bit binary
> > distribution as offered by Mozilla (for firefox), not if it is built from
> > source.
> >
> > I'll build a firefox here and give feedback.
>
> Indeed, using a self-built firefox rather than the distributed binaries
> requires no textrel_shlib_t on the libxul.so file (or any other related
> one).
But the idea that a user gets fed up (for whatever reason) of the
version of firefox distributed with the distribution and wants to
install the mozilla.org binaries is very good. In that view is very much
desirable that a distribution is ready to accomodate that case for what
is probably the number 1 graphical application.
So, I would suggest to feedback to mozilla.org and then keep part of
that patch.
Regards,
Guido
On 03/09/11 16:12, Sven Vermeulen wrote:
> Binary installations of firefox provide binaries in /opt/firefox by default.
>
> Also, binary can be in /usr/bin (but most often this is a script that calls
> the binary in /opt/firefox). In both cases, this needs to be marked as
> mozilla_exec_t too.
I suspect that these are Gentoo-specific. If so, they should be in
distro_gentoo blocks.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/mozilla.fc | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
> index 93ac529..ad59444 100644
> --- a/policy/modules/apps/mozilla.fc
> +++ b/policy/modules/apps/mozilla.fc
> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> #
> # /bin
> #
> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +
> +#
> +# /opt
> +#
> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com