From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 17 Sep 2017 20:09:55 +0200
Subject: [refpolicy] [PATCH 2/2] mozilla: run Java Web Start applications
In-Reply-To: <b2d546d7-7cf7-375b-90e6-ed9ef182365a@ieee.org>
References: <1505596572.13203.10.camel@trentalancia.com>
	<b2d546d7-7cf7-375b-90e6-ed9ef182365a@ieee.org>
Message-ID: <1505671795.25607.8.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 17/09/2017 at 10.18 -0400, Chris PeBenito wrote:
> On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> > Let mozilla manage temporary java content when executing
> > java (strictly needed to run Java Web Start applications
> > using the Java Network Launching Protocol (JNLP)).
> >   
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >   policy/modules/contrib/java.if    |   20 ++++++++++++++++++++
> >   policy/modules/contrib/mozilla.te |    2 ++
> >   2 files changed, 22 insertions(+)
> > 
> > --- a/policy/modules/contrib/mozilla.te	2017-09-16
> > 16:21:54.850402273 +0200
> > +++ b/policy/modules/contrib/mozilla.te	2017-09-16
> > 17:23:05.863425868 +0200
> > @@ -296,6 +296,7 @@ optional_policy(`
> >   optional_policy(`
> >   	java_exec(mozilla_t)
> >   	java_manage_generic_home_content(mozilla_t)
> > +	java_manage_java_tmp(mozilla_t)
> >   	java_home_filetrans_java_home(mozilla_t, dir, ".java")
> >   ')
> >   
> > @@ -566,6 +567,7 @@ optional_policy(`
> >   optional_policy(`
> >   	java_exec(mozilla_plugin_t)
> >   	java_manage_generic_home_content(mozilla_plugin_t)
> > +	java_manage_java_tmp(mozilla_plugin_t)
> >   	java_home_filetrans_java_home(mozilla_plugin_t, dir,
> > ".java")
> >   ')
> 
> Can this go into a new tmp file type?

If the user has previously launched a Java Web Start application from
the command-line, or from a domain transition (instead of java_exec()),
then the temporary files (locks) are already labeled as java_tmp_t.

Therefore, without such permission, if the user has previously executed
Java Web Start in its own domain, it won't be able to execute it again
from Mozilla because it cannot manage the previously created temporary
lock files (they are not labeled mozilla_tmp_t, but java_tmp_t).

> > --- a/policy/modules/contrib/java.if	2017-09-16
> > 22:55:35.129019841 +0200
> > +++ b/policy/modules/contrib/java.if	2017-09-16
> > 22:55:06.801019957 +0200
> > @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> >   	allow $1 java_home_t:file manage_file_perms;
> >   ')
> >   
> > +######################################
> > +## <summary>
> > +##      Create, read, write, and delete
> > +##      temporary java content.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`java_manage_java_tmp',`
> > +	gen_require(`
> > +		type java_tmp_t;
> > +	')
> > +
> > +	allow $1 java_tmp_t:dir manage_dir_perms;
> > +	allow $1 java_tmp_t:file manage_file_perms;
> > +')
> > +
> >   ########################################
> >   ## <summary>
> >   ##	Create specified objects in user home
> > 

Regards,

Guido