From: domg472@gmail.com (Dominick Grift)
Date: Thu, 10 Mar 2011 09:39:58 +0100
Subject: [refpolicy] [PATCH 05/15] Allow mozilla/firefox to manage
	tempfiles
In-Reply-To: <20110309211121.GA4682@siphos.be>
References: <20110309211121.GA4682@siphos.be>
Message-ID: <4D788E5E.1010600@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/09/2011 10:11 PM, Sven Vermeulen wrote:
> To be able to launch firefox, firefox needs to use tmp files and sockets. 
> Create a domain for firefox to work in. Use ubac_constrained as not to 
> potentially leak info

sockets are for pulseaudio and gconfd ( both of which i rather would
confine )

in my policy firefox is allowed to manage mozilla_tmp_t dirs files and
fifo files.

in my policy firefox does not need access to user_tmp_t content but that
is because i have almost everything confined here in f14. I am just
saying that its possible.

http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=policy/modules/apps/mozilla.if;h=ee4b0ea7f0fd9d5fec9b2f3d7cd85d6992e40bc4;hb=d95cf13ca9071539d5141df857bb9c869f1d2356

I have been using this policy for months now.


>  policy/modules/apps/mozilla.te |   10 ++++++++++
>  1 files changed, 10 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index 2a91fa8..c8c459c 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
>  files_tmpfs_file(mozilla_tmpfs_t)
>  ubac_constrained(mozilla_tmpfs_t)
>  
> +type mozilla_tmp_t;
> +files_tmp_file(mozilla_tmp_t)
> +ubac_contrained(mozilla_tmp_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
>  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
>  fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
>  
> +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
> +
>  kernel_read_kernel_sysctls(mozilla_t)
>  kernel_read_network_state(mozilla_t)
>  # Access /proc, sysctl
> @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
>  sysnet_dns_name_resolve(mozilla_t)
>  
>  userdom_use_user_ptys(mozilla_t)
> +userdom_manage_user_tmp_files(mozilla_t)
> +userdom_manage_user_tmp_sockets(mozilla_t)
>  
>  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
>  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk14jl4ACgkQMlxVo39jgT9V3gCeIx+vLWn4IW4evyVNOVheIqpw
1XQAn3KGZgV9aHlnS/51e1S+tDQX7o4h
=gVdY
-----END PGP SIGNATURE-----