I am working on creating an SELinux module for a Thunderbird mail application, and I would appreciate some guidance.
The application, when installed, places various files and directories in specific locations:
/usr/bin/thunderbird: the executable binary file
/usr/lib/thunderbird..so: libraries installed by this application
/usr/lib/thunderbird/plugins/.+: plugins loadable by this application installed by the administrator
Upon launching, the application utilizes the ~/.thunderbird/ directory, which includes:
~/.thunderbird/mail/: a folder containing mails, with a subfolder per account
~/.thunderbird/account.ini: account settings, including passwords
~/.thunderbird/plugins.txt: a list of plugins to load at startup
~/.thunderbird/plugins/: plugins installed by the user
~/.thunderbird/tmp/: temporary data
I need assistance in writing an SELinux module for this application.
Specifically, I want to restrict the installation of plugins to only the administrator (root), allowing the user "toto" limited access. Here are the context details:
- User "toto": user_u: user_r:_user_t
- Administrator (root): root: staff_r:_staff_t
I want to ensure that only the administrator can install plugins for all users. Any insights or examples on how to achieve this in SELinux would be greatly appreciated. Thank you!