From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 15 Oct 2012 16:24:03 +0200
Subject: [refpolicy] [PATCH] Label ~/\.adobe(/.*)? as mozilla_home_t for
 flash
In-Reply-To: <507C184D.6000405@redhat.com>
References: <1350244316-11712-1-git-send-email-debian@mikapflueger.de>
	<1350245855.9829.8.camel@d30.localdomain>
	<1350246825.9829.11.camel@d30.localdomain>
	<1350247483.9829.19.camel@d30.localdomain>
	<CAPzO=NwBdyX23bxiJm98yZWOVvb=vLuZwgEA=fK6Xo9PHWieHQ@mail.gmail.com>
	<507C184D.6000405@redhat.com>
Message-ID: <1350311043.5279.4.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


> 
> I agree we should start to be moving to more types in homedir for better
> separation.  I would love to try to remove mozilla_plugin_t from full access
> to mozilla_home_t also.

Yes if we can somehow prevent plugin access to passwords that would
already be a win

another thing that comes to mind is

.mozilla/plugins

If we give that a private type of lets say mozilla_plugin_home_t then we
can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to
only content in there (libflashplayer.so etc)

Not very important but might be nice to have so that users can download
and run plugins on their own discretion and still have some level of
mandatory protection

_______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy