New domain for nsplugin

New domain for nsplugin

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: apps_nsplugin.patch.gz --]
[-- Type: application/x-gzip, Size: 2782 bytes --]

Re: New domain for nsplugin

[Christopher J. PeBenito]

On Mon, 2008-05-19 at 13:12 -0400, Daniel J Walsh wrote:
> --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
> +++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.fc	2008-05-19 11:36:24.749177000 -0400
> @@ -0,0 +1,9 @@
> +
> +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
> +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
> +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
> +
> +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
> +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:user_nsplugin_home_t,s0)
> +HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
> +HOME_DIR/\.local.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)

I'm having trouble buying this one.  It seems pretty broad, especially
since acrobat isn't only a browser plugin, and I'm not sure what
gstreamer is doing here.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New domain for nsplugin

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
| On Mon, 2008-05-19 at 13:12 -0400, Daniel J Walsh wrote:
|> --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31
19:00:00.000000000 -0500
|> +++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.fc	2008-05-19
11:36:24.749177000 -0400
|> @@ -0,0 +1,9 @@
|> +
|> +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--
gen_context(system_u:object_r:nsplugin_exec_t,s0)
|> +/usr/lib(64)?/nspluginwrapper/plugin-config	--
gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
|> +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?		
gen_context(system_u:object_r:nsplugin_rw_t,s0)
|> +
|> +HOME_DIR/\.adobe(/.*)?		
gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|> +HOME_DIR/\.macromedia(/.*)?	
gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|> +HOME_DIR/\.gstreamer-.*		
gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|> +HOME_DIR/\.local.*		
gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
| I'm having trouble buying this one.  It seems pretty broad, especially
| since acrobat isn't only a browser plugin, and I'm not sure what
| gstreamer is doing here.
|
These are basically directories that nsplugin needs to write in.  So we
can define a new context for each, without a controlling domain.  But we
need to set a new precedence for this.

gstramer_home_t, adobe_home_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkg764wACgkQrlYvE4MpobMMLwCeP75ccyLjysfBHjdPlMhXeIEN
mgkAnjgWcsVHV2B+zIdJmH3xsW9o8Crl
=LsdV
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.