To be able to launch firefox, firefox needs to use tmp files and sockets.
Create a domain for firefox to work in. Use ubac_constrained as not to
potentially leak info
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/mozilla.te | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2a91fa8..c8c459c 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
+type mozilla_tmp_t;
+files_tmp_file(mozilla_tmp_t)
+ubac_contrained(mozilla_tmp_t)
+
########################################
#
# Local policy
@@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
+
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
# Access /proc, sysctl
@@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+userdom_manage_user_tmp_sockets(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
--
1.7.3.4
I did build firefox from sources (several times since 3.6.10) and it was
not requiring these...
Is it the new 4.0 version ?
Regards,
Guido
On Wed, 09/03/2011 at 22.11 +0100, Sven Vermeulen wrote:
> To be able to launch firefox, firefox needs to use tmp files and sockets.
> Create a domain for firefox to work in. Use ubac_constrained as not to
> potentially leak info
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/mozilla.te | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index 2a91fa8..c8c459c 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
> files_tmpfs_file(mozilla_tmpfs_t)
> ubac_constrained(mozilla_tmpfs_t)
>
> +type mozilla_tmp_t;
> +files_tmp_file(mozilla_tmp_t)
> +ubac_contrained(mozilla_tmp_t)
> +
> ########################################
> #
> # Local policy
> @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
>
> +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
> +
> kernel_read_kernel_sysctls(mozilla_t)
> kernel_read_network_state(mozilla_t)
> # Access /proc, sysctl
> @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
> +userdom_manage_user_tmp_files(mozilla_t)
> +userdom_manage_user_tmp_sockets(mozilla_t)
>
> xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/09/2011 10:11 PM, Sven Vermeulen wrote:
> To be able to launch firefox, firefox needs to use tmp files and sockets.
> Create a domain for firefox to work in. Use ubac_constrained as not to
> potentially leak info
sockets are for pulseaudio and gconfd ( both of which i rather would
confine )
in my policy firefox is allowed to manage mozilla_tmp_t dirs files and
fifo files.
in my policy firefox does not need access to user_tmp_t content but that
is because i have almost everything confined here in f14. I am just
saying that its possible.
http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=policy/modules/apps/mozilla.if;h=ee4b0ea7f0fd9d5fec9b2f3d7cd85d6992e40bc4;hb=d95cf13ca9071539d5141df857bb9c869f1d2356
I have been using this policy for months now.
> policy/modules/apps/mozilla.te | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index 2a91fa8..c8c459c 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
> files_tmpfs_file(mozilla_tmpfs_t)
> ubac_constrained(mozilla_tmpfs_t)
>
> +type mozilla_tmp_t;
> +files_tmp_file(mozilla_tmp_t)
> +ubac_contrained(mozilla_tmp_t)
> +
> ########################################
> #
> # Local policy
> @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
>
> +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
> +
> kernel_read_kernel_sysctls(mozilla_t)
> kernel_read_network_state(mozilla_t)
> # Access /proc, sysctl
> @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
> +userdom_manage_user_tmp_files(mozilla_t)
> +userdom_manage_user_tmp_sockets(mozilla_t)
>
> xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk14jl4ACgkQMlxVo39jgT9V3gCeIx+vLWn4IW4evyVNOVheIqpw
1XQAn3KGZgV9aHlnS/51e1S+tDQX7o4h
=gVdY
-----END PGP SIGNATURE-----
On 03/09/11 16:11, Sven Vermeulen wrote:
> To be able to launch firefox, firefox needs to use tmp files and sockets.
> Create a domain for firefox to work in. Use ubac_constrained as not to
> potentially leak info
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/mozilla.te | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index 2a91fa8..c8c459c 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
> files_tmpfs_file(mozilla_tmpfs_t)
> ubac_constrained(mozilla_tmpfs_t)
>
> +type mozilla_tmp_t;
> +files_tmp_file(mozilla_tmp_t)
> +ubac_contrained(mozilla_tmp_t)
> +
> ########################################
> #
> # Local policy
> @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
>
> +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
> +
> kernel_read_kernel_sysctls(mozilla_t)
> kernel_read_network_state(mozilla_t)
> # Access /proc, sysctl
> @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
> +userdom_manage_user_tmp_files(mozilla_t)
> +userdom_manage_user_tmp_sockets(mozilla_t)
Do you have more info on these? Such as what files and sockets are
being managed?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> On 03/09/11 16:11, Sven Vermeulen wrote:
> > +type mozilla_tmp_t;
> > +files_tmp_file(mozilla_tmp_t)
> > +ubac_contrained(mozilla_tmp_t)
> > +
> > ########################################
> > #
> > # Local policy
> > @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> > manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> > fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
> >
> > +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> > +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> > +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
> > +
> > kernel_read_kernel_sysctls(mozilla_t)
> > kernel_read_network_state(mozilla_t)
> > # Access /proc, sysctl
The mozilla_tmp_t is used by firefox to create
/tmp/plugtmp/plugin-crossdomain.xml (for instance while viewing Youtube
streams).
> > @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> > sysnet_dns_name_resolve(mozilla_t)
> >
> > userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these? Such as what files and sockets are
> being managed?
These ones I have not been able to hit immediately, but I'll run a while
without to see if I can get the information back.
Wkr,
Sven Vermeulen
On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> > userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these? Such as what files and sockets are
> being managed?
Not anymore apparently. Been running now for quite some time without these
privileges and I get no problems with it. Retry:
Mozilla/Firefox creates temporary files for its plugin support (for instance
while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.
Update policy to allow it to create its own tmp type and perform a file
transition when creating a file or directory in a tmp_t location (like
/tmp).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/mozilla.te | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2a91fa8..9c0e5dc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -33,6 +33,12 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
+type mozilla_tmp_t;
+typealias mozilla_tmp_t alias { user_mozilla_tmp_t staff_mozilla_tmp_t sysadm_mozilla_tmp_t };
+typealias mozilla_tmp_t alias { auditadm_mozilla_t secadm_mozilla_t };
+files_tmp_file(mozilla_tmp_t)
+ubac_constrained(mozilla_tmp_t)
+
########################################
#
# Local policy
@@ -68,6 +74,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
# Access /proc, sysctl
--
1.7.3.4
On 05/02/11 16:45, Sven Vermeulen wrote:
> On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
>>> userdom_use_user_ptys(mozilla_t)
>>> +userdom_manage_user_tmp_files(mozilla_t)
>>> +userdom_manage_user_tmp_sockets(mozilla_t)
>>
>> Do you have more info on these? Such as what files and sockets are
>> being managed?
>
> Not anymore apparently. Been running now for quite some time without these
> privileges and I get no problems with it. Retry:
>
> Mozilla/Firefox creates temporary files for its plugin support (for instance
> while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.
>
> Update policy to allow it to create its own tmp type and perform a file
> transition when creating a file or directory in a tmp_t location (like
> /tmp).
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/mozilla.te | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index 2a91fa8..9c0e5dc 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -33,6 +33,12 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
> files_tmpfs_file(mozilla_tmpfs_t)
> ubac_constrained(mozilla_tmpfs_t)
>
> +type mozilla_tmp_t;
> +typealias mozilla_tmp_t alias { user_mozilla_tmp_t staff_mozilla_tmp_t sysadm_mozilla_tmp_t };
> +typealias mozilla_tmp_t alias { auditadm_mozilla_t secadm_mozilla_t };
> +files_tmp_file(mozilla_tmp_t)
> +ubac_constrained(mozilla_tmp_t)
> +
> ########################################
> #
> # Local policy
> @@ -68,6 +74,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
>
> +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
> +
> kernel_read_kernel_sysctls(mozilla_t)
> kernel_read_network_state(mozilla_t)
> # Access /proc, sysctl
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com