From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 09 Mar 2011 23:39:38 +0100 Subject: [refpolicy] [PATCH 06/15] Add firefox file contexts for binary installations In-Reply-To: <20110309211238.GA4704@siphos.be> References: <20110309211238.GA4704@siphos.be> Message-ID: <1299710378.2974.26.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote: > Binary installations of firefox provide binaries in /opt/firefox by default. > > Also, binary can be in /usr/bin (but most often this is a script that calls > the binary in /opt/firefox). In both cases, this needs to be marked as > mozilla_exec_t too. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/apps/mozilla.fc | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc > index 93ac529..ad59444 100644 > --- a/policy/modules/apps/mozilla.fc > +++ b/policy/modules/apps/mozilla.fc > @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > # > # /bin > # > +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0) I think the -bin would hardly get anywhere outside of the firefox directory (independently of where that is) unless one works very hard towards that. > /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) > @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > + > +# > +# /opt > +# > +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) > +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) > +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) The idea sounds desirable to me ! But apart from the second and the fourth elements, I had anything else labelled generically bin_t and lib_t and I wasn't experiencing problems... Text relocations aren't that good (libxul.so) as far as I know. Is it not possible to get rid of them ? I think I could avoid that on a test system. Regards, Guido