From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 17 Sep 2017 20:18:46 +0200
Subject: [refpolicy] [PATCH 2/2] mozilla: run Java Web Start applications
In-Reply-To: <b2d546d7-7cf7-375b-90e6-ed9ef182365a@ieee.org>
References: <1505596572.13203.10.camel@trentalancia.com>
	<b2d546d7-7cf7-375b-90e6-ed9ef182365a@ieee.org>
Message-ID: <1505672326.25607.11.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I also take the opportunity to remind you that without the following
patch:

http://oss.tresys.com/pipermail/refpolicy/2017-June/009766.html

Java Web Start cannot run in its own domain (i.e. as java_t).

So, for example, the user cannot launch a Java Web Start application
from the command-line, but only from mozilla...

On Sun, 17/09/2017 at 10.18 -0400, Chris PeBenito wrote:
> On 09/16/2017 05:16 PM, Guido Trentalancia via refpolicy wrote:
> > Let mozilla manage temporary java content when executing
> > java (strictly needed to run Java Web Start applications
> > using the Java Network Launching Protocol (JNLP)).
> >   
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >   policy/modules/contrib/java.if    |   20 ++++++++++++++++++++
> >   policy/modules/contrib/mozilla.te |    2 ++
> >   2 files changed, 22 insertions(+)
> > 
> > --- a/policy/modules/contrib/mozilla.te	2017-09-16
> > 16:21:54.850402273 +0200
> > +++ b/policy/modules/contrib/mozilla.te	2017-09-16
> > 17:23:05.863425868 +0200
> > @@ -296,6 +296,7 @@ optional_policy(`
> >   optional_policy(`
> >   	java_exec(mozilla_t)
> >   	java_manage_generic_home_content(mozilla_t)
> > +	java_manage_java_tmp(mozilla_t)
> >   	java_home_filetrans_java_home(mozilla_t, dir, ".java")
> >   ')
> >   
> > @@ -566,6 +567,7 @@ optional_policy(`
> >   optional_policy(`
> >   	java_exec(mozilla_plugin_t)
> >   	java_manage_generic_home_content(mozilla_plugin_t)
> > +	java_manage_java_tmp(mozilla_plugin_t)
> >   	java_home_filetrans_java_home(mozilla_plugin_t, dir,
> > ".java")
> >   ')
> 
> Can this go into a new tmp file type?
> 
> 
> > --- a/policy/modules/contrib/java.if	2017-09-16
> > 22:55:35.129019841 +0200
> > +++ b/policy/modules/contrib/java.if	2017-09-16
> > 22:55:06.801019957 +0200
> > @@ -257,6 +257,26 @@ interface(`java_manage_generic_home_cont
> >   	allow $1 java_home_t:file manage_file_perms;
> >   ')
> >   
> > +######################################
> > +## <summary>
> > +##      Create, read, write, and delete
> > +##      temporary java content.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`java_manage_java_tmp',`
> > +	gen_require(`
> > +		type java_tmp_t;
> > +	')
> > +
> > +	allow $1 java_tmp_t:dir manage_dir_perms;
> > +	allow $1 java_tmp_t:file manage_file_perms;
> > +')
> > +
> >   ########################################
> >   ## <summary>
> >   ##	Create specified objects in user home
> > 

Regards,

Guido