From: domg472@gmail.com (Dominick Grift) Date: Thu, 10 Mar 2011 09:39:58 +0100 Subject: [refpolicy] [PATCH 05/15] Allow mozilla/firefox to manage tempfiles In-Reply-To: <20110309211121.GA4682@siphos.be> References: <20110309211121.GA4682@siphos.be> Message-ID: <4D788E5E.1010600@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/09/2011 10:11 PM, Sven Vermeulen wrote: > To be able to launch firefox, firefox needs to use tmp files and sockets. > Create a domain for firefox to work in. Use ubac_constrained as not to > potentially leak info sockets are for pulseaudio and gconfd ( both of which i rather would confine ) in my policy firefox is allowed to manage mozilla_tmp_t dirs files and fifo files. in my policy firefox does not need access to user_tmp_t content but that is because i have almost everything confined here in f14. I am just saying that its possible. http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=policy/modules/apps/mozilla.if;h=ee4b0ea7f0fd9d5fec9b2f3d7cd85d6992e40bc4;hb=d95cf13ca9071539d5141df857bb9c869f1d2356 I have been using this policy for months now. > policy/modules/apps/mozilla.te | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te > index 2a91fa8..c8c459c 100644 > --- a/policy/modules/apps/mozilla.te > +++ b/policy/modules/apps/mozilla.te > @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ > files_tmpfs_file(mozilla_tmpfs_t) > ubac_constrained(mozilla_tmpfs_t) > > +type mozilla_tmp_t; > +files_tmp_file(mozilla_tmp_t) > +ubac_contrained(mozilla_tmp_t) > + > ######################################## > # > # Local policy > @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) > > +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } ) > + > kernel_read_kernel_sysctls(mozilla_t) > kernel_read_network_state(mozilla_t) > # Access /proc, sysctl > @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > sysnet_dns_name_resolve(mozilla_t) > > userdom_use_user_ptys(mozilla_t) > +userdom_manage_user_tmp_files(mozilla_t) > +userdom_manage_user_tmp_sockets(mozilla_t) > > xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) > xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk14jl4ACgkQMlxVo39jgT9V3gCeIx+vLWn4IW4evyVNOVheIqpw 1XQAn3KGZgV9aHlnS/51e1S+tDQX7o4h =gVdY -----END PGP SIGNATURE-----