From: domg472@gmail.com (Dominick Grift) Date: Thu, 10 Mar 2011 09:27:10 +0100 Subject: [refpolicy] [PATCH 06/15] Add firefox file contexts for binary installations In-Reply-To: <1299710378.2974.26.camel@tesla.lan> References: <20110309211238.GA4704@siphos.be> <1299710378.2974.26.camel@tesla.lan> Message-ID: <4D788B5E.9060308@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/09/2011 11:39 PM, Guido Trentalancia wrote: > On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote: >> Binary installations of firefox provide binaries in /opt/firefox by default. >> >> Also, binary can be in /usr/bin (but most often this is a script that calls >> the binary in /opt/firefox). In both cases, this needs to be marked as >> mozilla_exec_t too. >> >> Signed-off-by: Sven Vermeulen >> --- >> policy/modules/apps/mozilla.fc | 10 ++++++++++ >> 1 files changed, 10 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc >> index 93ac529..ad59444 100644 >> --- a/policy/modules/apps/mozilla.fc >> +++ b/policy/modules/apps/mozilla.fc >> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) >> # >> # /bin >> # >> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > I think the -bin would hardly get anywhere outside of the firefox > directory (independently of where that is) unless one works very hard > towards that. > >> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) >> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> + >> +# >> +# /opt >> +# >> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) >> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) >> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > The idea sounds desirable to me ! But apart from the second and the > fourth elements, I had anything else labelled generically bin_t and > lib_t and I wasn't experiencing problems... The textrel_shlib_t does not belong in mozillas file context file. I think its libraries. Besides that i am unable to confirm the libxul needs text relocations on my f14 config i believe. > Text relocations aren't that good (libxul.so) as far as I know. Is it > not possible to get rid of them ? I think I could avoid that on a test > system. > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk14i14ACgkQMlxVo39jgT/sXgCgryOkE7zDNz4k6Du3PvfBGG7D V2UAn1xsn+Va5rPuXWMPr65HXYw6kf5S =2f4O -----END PGP SIGNATURE-----