From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 2 May 2011 22:45:50 +0200 Subject: [refpolicy] [PATCH 05/15] Allow mozilla/firefox to manage tempfiles In-Reply-To: <4D89F14D.5070500@tresys.com> References: <20110309211121.GA4682@siphos.be> <4D89F14D.5070500@tresys.com> Message-ID: <20110502204550.GA28333@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote: > > userdom_use_user_ptys(mozilla_t) > > +userdom_manage_user_tmp_files(mozilla_t) > > +userdom_manage_user_tmp_sockets(mozilla_t) > > Do you have more info on these? Such as what files and sockets are > being managed? Not anymore apparently. Been running now for quite some time without these privileges and I get no problems with it. Retry: Mozilla/Firefox creates temporary files for its plugin support (for instance while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml. Update policy to allow it to create its own tmp type and perform a file transition when creating a file or directory in a tmp_t location (like /tmp). Signed-off-by: Sven Vermeulen --- policy/modules/apps/mozilla.te | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 2a91fa8..9c0e5dc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -33,6 +33,12 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ files_tmpfs_file(mozilla_tmpfs_t) ubac_constrained(mozilla_tmpfs_t) +type mozilla_tmp_t; +typealias mozilla_tmp_t alias { user_mozilla_tmp_t staff_mozilla_tmp_t sysadm_mozilla_tmp_t }; +typealias mozilla_tmp_t alias { auditadm_mozilla_t secadm_mozilla_t }; +files_tmp_file(mozilla_tmp_t) +ubac_constrained(mozilla_tmp_t) + ######################################## # # Local policy @@ -68,6 +74,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) # Access /proc, sysctl -- 1.7.3.4