Let mozilla manage temporary java content when executing
java (strictly needed to run Java Web Start applications
using the Java Network Launching Protocol (JNLP)).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/java.if | 20 ++++++++++++++++++++
policy/modules/contrib/mozilla.te | 2 ++
2 files changed, 22 insertions(+)
--- a/policy/modules/contrib/mozilla.te 2017-09-16 16:21:54.850402273 +0200
+++ b/policy/modules/contrib/mozilla.te 2017-09-16 17:23:05.863425868 +0200
@@ -296,6 +296,7 @@ optional_policy(`
optional_policy(`
java_exec(mozilla_t)
java_manage_generic_home_content(mozilla_t)
+ java_manage_java_tmp(mozilla_t)
java_home_filetrans_java_home(mozilla_t, dir, ".java")
')
@@ -566,6 +567,7 @@ optional_policy(`
optional_policy(`
java_exec(mozilla_plugin_t)
java_manage_generic_home_content(mozilla_plugin_t)
+ java_manage_java_tmp(mozilla_plugin_t)
java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
')
--- a/policy/modules/contrib/java.if 2017-09-16 22:55:35.129019841 +0200
+++ b/policy/modules/contrib/java.if 2017-09-16 22:55:06.801019957 +0200
@@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
allow $1 java_home_t:file manage_file_perms;
')
+######################################
+## <summary>
+## Create, read, write, and delete
+## temporary java content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_manage_java_tmp',`
+ gen_require(`
+ type java_tmp_t;
+ ')
+
+ allow $1 java_tmp_t:dir manage_dir_perms;
+ allow $1 java_tmp_t:file manage_file_perms;
+')
+
########################################
## <summary>
## Create specified objects in user home
On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> Let mozilla manage temporary java content when executing
> java (strictly needed to run Java Web Start applications
> using the Java Network Launching Protocol (JNLP)).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/java.if | 20 ++++++++++++++++++++
> policy/modules/contrib/mozilla.te | 2 ++
> 2 files changed, 22 insertions(+)
>
> --- a/policy/modules/contrib/mozilla.te 2017-09-16 16:21:54.850402273 +0200
> +++ b/policy/modules/contrib/mozilla.te 2017-09-16 17:23:05.863425868 +0200
> @@ -296,6 +296,7 @@ optional_policy(`
> optional_policy(`
> java_exec(mozilla_t)
> java_manage_generic_home_content(mozilla_t)
> + java_manage_java_tmp(mozilla_t)
> java_home_filetrans_java_home(mozilla_t, dir, ".java")
> ')
>
> @@ -566,6 +567,7 @@ optional_policy(`
> optional_policy(`
> java_exec(mozilla_plugin_t)
> java_manage_generic_home_content(mozilla_plugin_t)
> + java_manage_java_tmp(mozilla_plugin_t)
> java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
> ')
Can this go into a new tmp file type?
> --- a/policy/modules/contrib/java.if 2017-09-16 22:55:35.129019841 +0200
> +++ b/policy/modules/contrib/java.if 2017-09-16 22:55:06.801019957 +0200
> @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> allow $1 java_home_t:file manage_file_perms;
> ')
>
> +######################################
> +## <summary>
> +## Create, read, write, and delete
> +## temporary java content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`java_manage_java_tmp',`
> + gen_require(`
> + type java_tmp_t;
> + ')
> +
> + allow $1 java_tmp_t:dir manage_dir_perms;
> + allow $1 java_tmp_t:file manage_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Create specified objects in user home
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On Sun, 17/09/2017 at 10.18 -0400, Chris PeBenito wrote:
> On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> > Let mozilla manage temporary java content when executing
> > java (strictly needed to run Java Web Start applications
> > using the Java Network Launching Protocol (JNLP)).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/java.if | 20 ++++++++++++++++++++
> > policy/modules/contrib/mozilla.te | 2 ++
> > 2 files changed, 22 insertions(+)
> >
> > --- a/policy/modules/contrib/mozilla.te 2017-09-16
> > 16:21:54.850402273 +0200
> > +++ b/policy/modules/contrib/mozilla.te 2017-09-16
> > 17:23:05.863425868 +0200
> > @@ -296,6 +296,7 @@ optional_policy(`
> > optional_policy(`
> > java_exec(mozilla_t)
> > java_manage_generic_home_content(mozilla_t)
> > + java_manage_java_tmp(mozilla_t)
> > java_home_filetrans_java_home(mozilla_t, dir, ".java")
> > ')
> >
> > @@ -566,6 +567,7 @@ optional_policy(`
> > optional_policy(`
> > java_exec(mozilla_plugin_t)
> > java_manage_generic_home_content(mozilla_plugin_t)
> > + java_manage_java_tmp(mozilla_plugin_t)
> > java_home_filetrans_java_home(mozilla_plugin_t, dir,
> > ".java")
> > ')
>
> Can this go into a new tmp file type?
If the user has previously launched a Java Web Start application from
the command-line, or from a domain transition (instead of java_exec()),
then the temporary files (locks) are already labeled as java_tmp_t.
Therefore, without such permission, if the user has previously executed
Java Web Start in its own domain, it won't be able to execute it again
from Mozilla because it cannot manage the previously created temporary
lock files (they are not labeled mozilla_tmp_t, but java_tmp_t).
> > --- a/policy/modules/contrib/java.if 2017-09-16
> > 22:55:35.129019841 +0200
> > +++ b/policy/modules/contrib/java.if 2017-09-16
> > 22:55:06.801019957 +0200
> > @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> > allow $1 java_home_t:file manage_file_perms;
> > ')
> >
> > +######################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## temporary java content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`java_manage_java_tmp',`
> > + gen_require(`
> > + type java_tmp_t;
> > + ')
> > +
> > + allow $1 java_tmp_t:dir manage_dir_perms;
> > + allow $1 java_tmp_t:file manage_file_perms;
> > +')
> > +
> > ########################################
> > ## <summary>
> > ## Create specified objects in user home
> >
Regards,
Guido
I also take the opportunity to remind you that without the following
patch:
http://oss.tresys.com/pipermail/refpolicy/2017-June/009766.html
Java Web Start cannot run in its own domain (i.e. as java_t).
So, for example, the user cannot launch a Java Web Start application
from the command-line, but only from mozilla...
On Sun, 17/09/2017 at 10.18 -0400, Chris PeBenito wrote:
> On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> > Let mozilla manage temporary java content when executing
> > java (strictly needed to run Java Web Start applications
> > using the Java Network Launching Protocol (JNLP)).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/java.if | 20 ++++++++++++++++++++
> > policy/modules/contrib/mozilla.te | 2 ++
> > 2 files changed, 22 insertions(+)
> >
> > --- a/policy/modules/contrib/mozilla.te 2017-09-16
> > 16:21:54.850402273 +0200
> > +++ b/policy/modules/contrib/mozilla.te 2017-09-16
> > 17:23:05.863425868 +0200
> > @@ -296,6 +296,7 @@ optional_policy(`
> > optional_policy(`
> > java_exec(mozilla_t)
> > java_manage_generic_home_content(mozilla_t)
> > + java_manage_java_tmp(mozilla_t)
> > java_home_filetrans_java_home(mozilla_t, dir, ".java")
> > ')
> >
> > @@ -566,6 +567,7 @@ optional_policy(`
> > optional_policy(`
> > java_exec(mozilla_plugin_t)
> > java_manage_generic_home_content(mozilla_plugin_t)
> > + java_manage_java_tmp(mozilla_plugin_t)
> > java_home_filetrans_java_home(mozilla_plugin_t, dir,
> > ".java")
> > ')
>
> Can this go into a new tmp file type?
>
>
> > --- a/policy/modules/contrib/java.if 2017-09-16
> > 22:55:35.129019841 +0200
> > +++ b/policy/modules/contrib/java.if 2017-09-16
> > 22:55:06.801019957 +0200
> > @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> > allow $1 java_home_t:file manage_file_perms;
> > ')
> >
> > +######################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## temporary java content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`java_manage_java_tmp',`
> > + gen_require(`
> > + type java_tmp_t;
> > + ')
> > +
> > + allow $1 java_tmp_t:dir manage_dir_perms;
> > + allow $1 java_tmp_t:file manage_file_perms;
> > +')
> > +
> > ########################################
> > ## <summary>
> > ## Create specified objects in user home
> >
Regards,
Guido
On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> Let mozilla manage temporary java content when executing
> java (strictly needed to run Java Web Start applications
> using the Java Network Launching Protocol (JNLP)).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/java.if | 20 ++++++++++++++++++++
> policy/modules/contrib/mozilla.te | 2 ++
> 2 files changed, 22 insertions(+)
>
> --- a/policy/modules/contrib/mozilla.te 2017-09-16 16:21:54.850402273 +0200
> +++ b/policy/modules/contrib/mozilla.te 2017-09-16 17:23:05.863425868 +0200
> @@ -296,6 +296,7 @@ optional_policy(`
> optional_policy(`
> java_exec(mozilla_t)
> java_manage_generic_home_content(mozilla_t)
> + java_manage_java_tmp(mozilla_t)
> java_home_filetrans_java_home(mozilla_t, dir, ".java")
> ')
>
> @@ -566,6 +567,7 @@ optional_policy(`
> optional_policy(`
> java_exec(mozilla_plugin_t)
> java_manage_generic_home_content(mozilla_plugin_t)
> + java_manage_java_tmp(mozilla_plugin_t)
> java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
> ')
>
> --- a/policy/modules/contrib/java.if 2017-09-16 22:55:35.129019841 +0200
> +++ b/policy/modules/contrib/java.if 2017-09-16 22:55:06.801019957 +0200
> @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> allow $1 java_home_t:file manage_file_perms;
> ')
>
> +######################################
> +## <summary>
> +## Create, read, write, and delete
> +## temporary java content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`java_manage_java_tmp',`
> + gen_require(`
> + type java_tmp_t;
> + ')
> +
> + allow $1 java_tmp_t:dir manage_dir_perms;
> + allow $1 java_tmp_t:file manage_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Create specified objects in user home
Merged.
--
Chris PeBenito