commit: 15f4cb7c1387e72719c9948281f4818842baea96
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 13:53:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 13:53:00 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15f4cb7c
Fix bug #505406 - Make thunderbird work on Gentoo again
Changes made:
- Support thunderbird_tmp_t for /tmp created files and directories
- Support XDG types
- Make user content management optional (through access template)
---
policy/modules/contrib/thunderbird.fc | 8 ++++++++
policy/modules/contrib/thunderbird.te | 36 ++++++++++++++++++++++++++++++++---
2 files changed, 41 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/thunderbird.fc
b/policy/modules/contrib/thunderbird.fc
index c01805a..4a579fe 100644
--- a/policy/modules/contrib/thunderbird.fc
+++ b/policy/modules/contrib/thunderbird.fc
@@ -1,3 +1,11 @@
HOME_DIR/\.thunderbird(/.*)?
gen_context(system_u:object_r:thunderbird_home_t,s0)
/usr/bin/thunderbird.* --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/thunderbird/plugin-container --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/run-mozilla\.sh --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird-bin --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/updater --
gen_context(system_u:object_r:thunderbird_exec_t,s0)
+')
diff --git a/policy/modules/contrib/thunderbird.te
b/policy/modules/contrib/thunderbird.te
index 04a56d2..cbf9e39 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -105,9 +105,10 @@ userdom_write_user_tmp_sockets(thunderbird_t)
userdom_manage_user_tmp_dirs(thunderbird_t)
userdom_manage_user_tmp_files(thunderbird_t)
-userdom_manage_user_home_content_dirs(thunderbird_t)
-userdom_manage_user_home_content_files(thunderbird_t)
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
+# Gentoo: managed through booleans defined thruogh
userdom_user_content_access_template
+#userdom_manage_user_home_content_dirs(thunderbird_t)
+#userdom_manage_user_home_content_files(thunderbird_t)
+#userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files(thunderbird_t)
@@ -168,11 +169,40 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ type thunderbird_xdg_cache_home_t;
+ xdg_cache_home_content(thunderbird_xdg_cache_home_t)
+
+ type thunderbird_tmp_t;
+ userdom_user_tmp_file(thunderbird_tmp_t)
+
################################
#
# Thunderbird local policy
#
+ # thunderbird-bin to execute stuff in /opt/thunderbird/
+ can_exec(thunderbird_t, thunderbird_exec_t)
+
+ manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
+ manage_files_pattern(thunderbird_t, thunderbird_tmp_t,
thunderbird_tmp_t)
+ files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file })
+
+ manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_home_t,
thunderbird_xdg_cache_home_t)
+ manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_home_t,
thunderbird_xdg_cache_home_t)
+ xdg_cache_home_filetrans(thunderbird_t, thunderbird_xdg_cache_home_t,
dir)
+
+ # File preview apps for instance
+ corecmd_exec_bin(thunderbird_t)
+
+ dev_read_sysfs(thunderbird_t)
+ dev_rw_dri(thunderbird_t)
+
+ userdom_use_user_ptys(thunderbird_t)
+ # User content access
+ userdom_user_content_access_template(thunderbird, thunderbird_t)
+
+ xdg_read_data_home_files(thunderbird_t)
+
optional_policy(`
pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
')
