Daniel J Walsh: > In this case we have to allow mozilla-plugin to create any file in > the homedir if it does not exist and label it mozilla_home_t. Ouch! I had hoped something like the regular expressions of "semanage fcontext" could have done it simpler. Hm. I wonder if there might be a better way. In the case of BankID the plugin starts a separate binary that does some of the work. I believe, in particular, it's that binary that creates the problematic file. Maybe I could write a policy module that puts this binary in a specific domain when started from mozilla_plugin_t. I would have to let that domain create files in the home directory, but I wouldn't have to let ALL plugins do it. It would be a bit better. I'll give it a try. It will be a much more advanced module than I've done before.
Attachment:
pgpWdroXFJEK3.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
