From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 17 Sep 2017 20:09:55 +0200 Subject: [refpolicy] [PATCH 2/2] mozilla: run Java Web Start applications In-Reply-To: References: <1505596572.13203.10.camel@trentalancia.com> Message-ID: <1505671795.25607.8.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 17/09/2017 at 10.18 -0400, Chris PeBenito wrote: > On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote: > > Let mozilla manage temporary java content when executing > > java (strictly needed to run Java Web Start applications > > using the Java Network Launching Protocol (JNLP)). > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/java.if | 20 ++++++++++++++++++++ > > policy/modules/contrib/mozilla.te | 2 ++ > > 2 files changed, 22 insertions(+) > > > > --- a/policy/modules/contrib/mozilla.te 2017-09-16 > > 16:21:54.850402273 +0200 > > +++ b/policy/modules/contrib/mozilla.te 2017-09-16 > > 17:23:05.863425868 +0200 > > @@ -296,6 +296,7 @@ optional_policy(` > > optional_policy(` > > java_exec(mozilla_t) > > java_manage_generic_home_content(mozilla_t) > > + java_manage_java_tmp(mozilla_t) > > java_home_filetrans_java_home(mozilla_t, dir, ".java") > > ') > > > > @@ -566,6 +567,7 @@ optional_policy(` > > optional_policy(` > > java_exec(mozilla_plugin_t) > > java_manage_generic_home_content(mozilla_plugin_t) > > + java_manage_java_tmp(mozilla_plugin_t) > > java_home_filetrans_java_home(mozilla_plugin_t, dir, > > ".java") > > ') > > Can this go into a new tmp file type? If the user has previously launched a Java Web Start application from the command-line, or from a domain transition (instead of java_exec()), then the temporary files (locks) are already labeled as java_tmp_t. Therefore, without such permission, if the user has previously executed Java Web Start in its own domain, it won't be able to execute it again from Mozilla because it cannot manage the previously created temporary lock files (they are not labeled mozilla_tmp_t, but java_tmp_t). > > --- a/policy/modules/contrib/java.if 2017-09-16 > > 22:55:35.129019841 +0200 > > +++ b/policy/modules/contrib/java.if 2017-09-16 > > 22:55:06.801019957 +0200 > > @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont > > allow $1 java_home_t:file manage_file_perms; > > ') > > > > +###################################### > > +## > > +## Create, read, write, and delete > > +## temporary java content. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`java_manage_java_tmp',` > > + gen_require(` > > + type java_tmp_t; > > + ') > > + > > + allow $1 java_tmp_t:dir manage_dir_perms; > > + allow $1 java_tmp_t:file manage_file_perms; > > +') > > + > > ######################################## > > ## > > ## Create specified objects in user home > > Regards, Guido