From: dominick.grift@gmail.com (Dominick Grift) Date: Sun, 14 Oct 2012 22:33:45 +0200 Subject: [refpolicy] [PATCH] Label ~/\.adobe(/.*)? as mozilla_home_t for flash In-Reply-To: <1350245855.9829.8.camel@d30.localdomain> References: <1350244316-11712-1-git-send-email-debian@mikapflueger.de> <1350245855.9829.8.camel@d30.localdomain> Message-ID: <1350246825.9829.11.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2012-10-14 at 22:17 +0200, Dominick Grift wrote: > I actually revisited the mozilla plugin and i am thinking about how to > deal with plugins like flash and their userdom user home content. > > I am not yet sure if mozilla_home_t is the optimal type for this and if > it is worth having a private type for it > > mozilla home type of files are sensitive in a sense. consider your > password stored in mozilla etc. > > i am not sure whether flash home content justifies having a private type > and if so if it is a good idea to label it mozilla home t > > if we label it mozilla home t and some app needs access to flash then it > automatically has access to mozilla content and i am not sure if this is > desired > > We now have the named file transition functionality so we can allow > mozila access to generic user home content without problem and still > have its sensitive content protected with the mozilla home type > > I would like the opinion of others on this issue > > it is worth to label flash content in home? and if so what would be a > better idea: 1. to classify it mozilla home content or classify it > something else? also consider the following one has two browsers for example firefox and chromium, both use flash and both have their content in home with their own private type the flash content in home is labeled as per your suggestion mozilla_home_t, now chromium needs access to mozilla_home_t and as a consequence can now also edit mozilla content this seems like a bad idea to me > On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote: > > From: Russel Coker > > > > --- > > mozilla.fc | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/mozilla.fc b/mozilla.fc > > index 3a73e74..271928b 100644 > > --- a/mozilla.fc > > +++ b/mozilla.fc > > @@ -1,3 +1,4 @@ > > +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > >