From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 17 Oct 2012 15:05:42 +0200 Subject: [refpolicy] [COMMIT]refpolicy-contrib branch, master, updated. RELEASE_2_20120725-478-g3507646 In-Reply-To: References: <201210171226.q9HCQ4CN007318@oss.tresys.com> Message-ID: <1350479142.16371.20.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes i like dwalshs' idea of trying to make it so that mozilla plugin doesnt need to access mozilla home content Since it seems that mozilla plugin might need to exec/mmap/execmod plugin files i decided to try and label that content with a new mozilla_plugin_home_t type mozilla plugin can exec/mmap that content and conditionally execmod it I have also taken your comment about application needing access to ~/.adobe and that people do not trust flash And so i think i am meeting halfway with this solution. It is not such a bug problem if other browsers need access to mozilla_plugin_home_t ( not as big of a problem than them needing access to mozilla_home_t) but the content still have a private type so that we can block access to it A seperate flash_home_t type is giving too much credit to adobe ( I just think its not needed a generic mozilla_plugin_home type for all those plugins should be fine i believe) On Wed, 2012-10-17 at 14:50 +0200, Sven Vermeulen wrote: > Is labelling the .adobe location correct here? I got the impression > from the discussion that this might not be the way to go taking into > account that other domains need access to the .adobe location as well. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy