From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2E1EE1393DD for ; Mon, 11 Aug 2014 21:01:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DC39FE0E84; Mon, 11 Aug 2014 20:24:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BEB7CE0E92 for ; Mon, 11 Aug 2014 20:21:12 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 83FB63404DB for ; Sun, 10 Aug 2014 13:54:29 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 8626218815 for ; Sun, 10 Aug 2014 13:54:27 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407678780.15f4cb7c1387e72719c9948281f4818842baea96.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/thunderbird.fc policy/modules/contrib/thunderbird.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 15f4cb7c1387e72719c9948281f4818842baea96 X-VCS-Branch: master Date: Sun, 10 Aug 2014 13:54:27 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4bde1968-5cb4-4904-b56a-596f522914e7 X-Archives-Hash: b1fbf5986ff7e31321867dc2c46c46f8 commit: 15f4cb7c1387e72719c9948281f4818842baea96 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 10 13:53:00 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Aug 10 13:53:00 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15f4cb7c Fix bug #505406 - Make thunderbird work on Gentoo again Changes made: - Support thunderbird_tmp_t for /tmp created files and directories - Support XDG types - Make user content management optional (through access template) --- policy/modules/contrib/thunderbird.fc | 8 ++++++++ policy/modules/contrib/thunderbird.te | 36 ++++++++++++++++++++++++++++++++--- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc index c01805a..4a579fe 100644 --- a/policy/modules/contrib/thunderbird.fc +++ b/policy/modules/contrib/thunderbird.fc @@ -1,3 +1,11 @@ HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +ifdef(`distro_gentoo',` +/opt/thunderbird/plugin-container -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/run-mozilla\.sh -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/thunderbird-bin -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/updater -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +') diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te index 04a56d2..cbf9e39 100644 --- a/policy/modules/contrib/thunderbird.te +++ b/policy/modules/contrib/thunderbird.te @@ -105,9 +105,10 @@ userdom_write_user_tmp_sockets(thunderbird_t) userdom_manage_user_tmp_dirs(thunderbird_t) userdom_manage_user_tmp_files(thunderbird_t) -userdom_manage_user_home_content_dirs(thunderbird_t) -userdom_manage_user_home_content_files(thunderbird_t) -userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) +# Gentoo: managed through booleans defined thruogh userdom_user_content_access_template +#userdom_manage_user_home_content_dirs(thunderbird_t) +#userdom_manage_user_home_content_files(thunderbird_t) +#userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) @@ -168,11 +169,40 @@ optional_policy(` ') ifdef(`distro_gentoo',` + type thunderbird_xdg_cache_home_t; + xdg_cache_home_content(thunderbird_xdg_cache_home_t) + + type thunderbird_tmp_t; + userdom_user_tmp_file(thunderbird_tmp_t) + ################################ # # Thunderbird local policy # + # thunderbird-bin to execute stuff in /opt/thunderbird/ + can_exec(thunderbird_t, thunderbird_exec_t) + + manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) + manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) + files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file }) + + manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t) + manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t) + xdg_cache_home_filetrans(thunderbird_t, thunderbird_xdg_cache_home_t, dir) + + # File preview apps for instance + corecmd_exec_bin(thunderbird_t) + + dev_read_sysfs(thunderbird_t) + dev_rw_dri(thunderbird_t) + + userdom_use_user_ptys(thunderbird_t) + # User content access + userdom_user_content_access_template(thunderbird, thunderbird_t) + + xdg_read_data_home_files(thunderbird_t) + optional_policy(` pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t) ')