From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 10 Mar 2011 13:02:03 +0100 Subject: [refpolicy] [PATCH 06/15] Add firefox file contexts for binary installations In-Reply-To: <4D788B5E.9060308@gmail.com> References: <20110309211238.GA4704@siphos.be> <1299710378.2974.26.camel@tesla.lan> <4D788B5E.9060308@gmail.com> Message-ID: <1299758523.4243.17.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 10/03/2011 at 09.27 +0100, Dominick Grift wrote: > On 03/09/2011 11:39 PM, Guido Trentalancia wrote: > > On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote: > >> Binary installations of firefox provide binaries in /opt/firefox by default. > >> > >> Also, binary can be in /usr/bin (but most often this is a script that calls > >> the binary in /opt/firefox). In both cases, this needs to be marked as > >> mozilla_exec_t too. > >> > >> Signed-off-by: Sven Vermeulen > >> --- > >> policy/modules/apps/mozilla.fc | 10 ++++++++++ > >> 1 files changed, 10 insertions(+), 0 deletions(-) > >> > >> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc > >> index 93ac529..ad59444 100644 > >> --- a/policy/modules/apps/mozilla.fc > >> +++ b/policy/modules/apps/mozilla.fc > >> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > >> # > >> # /bin > >> # > >> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > > > I think the -bin would hardly get anywhere outside of the firefox > > directory (independently of where that is) unless one works very hard > > towards that. > > > >> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > >> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> + > >> +# > >> +# /opt > >> +# > >> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) > >> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > >> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > > > The idea sounds desirable to me ! But apart from the second and the > > fourth elements, I had anything else labelled generically bin_t and > > lib_t and I wasn't experiencing problems... > > The textrel_shlib_t does not belong in mozillas file context file. I > think its libraries. Yes, of course. > Besides that i am unable to confirm the libxul needs text relocations on > my f14 config i believe. > > > Text relocations aren't that good (libxul.so) as far as I know. Is it > > not possible to get rid of them ? I think I could avoid that on a test > > system. Plain F14 policy has text relocations for libxul.so but does that privately. Text relocations are bad if they can be avoided and usually that is the case. Now we have at least two confirmed cases that this is possible (me and you)... Regards, Guido