Allow mozilla/firefox to manage tempfiles

On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> >  userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these?  Such as what files and sockets are
> being managed?

Not anymore apparently. Been running now for quite some time without these
privileges and I get no problems with it. Retry:

Mozilla/Firefox creates temporary files for its plugin support (for instance
while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.

Update policy to allow it to create its own tmp type and perform a file
transition when creating a file or directory in a tmp_t location (like
/tmp).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

policy/modules/apps/mozilla.te

@@ -33,6 +33,12 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
 files_tmpfs_file(mozilla_tmpfs_t)
 ubac_constrained(mozilla_tmpfs_t)
 
+type mozilla_tmp_t;
+typealias mozilla_tmp_t alias { user_mozilla_tmp_t staff_mozilla_tmp_t sysadm_mozilla_tmp_t };
+typealias mozilla_tmp_t alias { auditadm_mozilla_t secadm_mozilla_t };
+files_tmp_file(mozilla_tmp_t)
+ubac_constrained(mozilla_tmp_t)
+
 ########################################
 #
 # Local policy
@@ -68,6 +74,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
 
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
 # Access /proc, sysctl