[refpolicy] [PATCH 06/15] Add firefox file contexts for binary installations
Guido Trentalancia
guido at trentalancia.com
Thu Mar 10 06:02:03 CST 2011
On Thu, 10/03/2011 at 09.27 +0100, Dominick Grift wrote:
> On 03/09/2011 11:39 PM, Guido Trentalancia wrote:
> > On Wed, 09/03/2011 at 22.12 +0100, Sven Vermeulen wrote:
> >> Binary installations of firefox provide binaries in /opt/firefox by default.
> >>
> >> Also, binary can be in /usr/bin (but most often this is a script that calls
> >> the binary in /opt/firefox). In both cases, this needs to be marked as
> >> mozilla_exec_t too.
> >>
> >> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> >> ---
> >> policy/modules/apps/mozilla.fc | 10 ++++++++++
> >> 1 files changed, 10 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
> >> index 93ac529..ad59444 100644
> >> --- a/policy/modules/apps/mozilla.fc
> >> +++ b/policy/modules/apps/mozilla.fc
> >> @@ -7,6 +7,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> >> #
> >> # /bin
> >> #
> >> +/usr/bin/firefox(-bin)? -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >
> > I think the -bin would hardly get anywhere outside of the firefox
> > directory (independently of where that is) unless one works very hard
> > towards that.
> >
> >> /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> @@ -27,3 +28,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> >> /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +
> >> +#
> >> +# /opt
> >> +#
> >> +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> >> +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >> +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
> >
> > The idea sounds desirable to me ! But apart from the second and the
> > fourth elements, I had anything else labelled generically bin_t and
> > lib_t and I wasn't experiencing problems...
>
> The textrel_shlib_t does not belong in mozillas file context file. I
> think its libraries.
Yes, of course.
> Besides that i am unable to confirm the libxul needs text relocations on
> my f14 config i believe.
>
> > Text relocations aren't that good (libxul.so) as far as I know. Is it
> > not possible to get rid of them ? I think I could avoid that on a test
> > system.
Plain F14 policy has text relocations for libxul.so but does that
privately. Text relocations are bad if they can be avoided and usually
that is the case. Now we have at least two confirmed cases that this is
possible (me and you)...
Regards,
Guido
More information about the refpolicy
mailing list