mozilla_selinux(8)

1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/firefox[^/]*/mozilla-.*,
32       /usr/lib/mozilla[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/epiphany,
35       /usr/bin/netscape,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to allow users to resolve user passwd entries directly from
75       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
76       gin_nsswitch_use_ldap boolean. Disabled by default.
77
78       setsebool -P authlogin_nsswitch_use_ldap 1
79
80
81
82       If you want to deny user domains applications to map a memory region as
83       both  executable  and  writable,  this  is dangerous and the executable
84       should be reported in bugzilla, you must turn on the deny_execmem bool‐
85       ean. Enabled by default.
86
87       setsebool -P deny_execmem 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If you want to allow confined applications to run  with  kerberos,  you
99       must turn on the kerberos_enabled boolean. Enabled by default.
100
101       setsebool -P kerberos_enabled 1
102
103
104
105       If  you  want  to  allow  system  to run with NIS, you must turn on the
106       nis_enabled boolean. Disabled by default.
107
108       setsebool -P nis_enabled 1
109
110
111
112       If you want to allow confined applications to use nscd  shared  memory,
113       you must turn on the nscd_use_shm boolean. Disabled by default.
114
115       setsebool -P nscd_use_shm 1
116
117
118
119       If  you  want to allow regular users direct dri device access, you must
120       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
121
122       setsebool -P selinuxuser_direct_dri_enabled 1
123
124
125
126       If you want to allow unconfined executables to make  their  stack  exe‐
127       cutable.   This  should  never, ever be necessary. Probably indicates a
128       badly coded executable, but could indicate an attack.  This  executable
129       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
130       stack boolean. Enabled by default.
131
132       setsebool -P selinuxuser_execstack 1
133
134
135
136       If you want to allows clients to write to the X  server  shared  memory
137       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
138       abled by default.
139
140       setsebool -P xserver_clients_write_xshm 1
141
142
143

MANAGED FILES

145       The SELinux process type mozilla_t can manage files  labeled  with  the
146       following file types.  The paths listed are the default paths for these
147       file types.  Note the processes UID still need to have DAC permissions.
148
149       cifs_t
150
151
152       ecryptfs_t
153
154            /home/[^/]+/.Private(/.*)?
155            /home/[^/]+/.ecryptfs(/.*)?
156
157       fusefs_t
158
159            /var/run/user/[^/]*/gvfs
160
161       gconf_home_t
162
163            /root/.local.*
164            /root/.gconf(d)?(/.*)?
165            /home/[^/]+/.local.*
166            /home/[^/]+/.gconf(d)?(/.*)?
167
168       gnome_home_type
169
170
171       mozilla_home_t
172
173            /home/[^/]+/.lyx(/.*)?
174            /home/[^/]+/.java(/.*)?
175            /home/[^/]+/.adobe(/.*)?
176            /home/[^/]+/.gnash(/.*)?
177            /home/[^/]+/.webex(/.*)?
178            /home/[^/]+/.IBMERS(/.*)?
179            /home/[^/]+/.galeon(/.*)?
180            /home/[^/]+/.spicec(/.*)?
181            /home/[^/]+/POkemon.*(/.*)?
182            /home/[^/]+/.icedtea(/.*)?
183            /home/[^/]+/.mozilla(/.*)?
184            /home/[^/]+/.phoenix(/.*)?
185            /home/[^/]+/.netscape(/.*)?
186            /home/[^/]+/.ICAClient(/.*)?
187            /home/[^/]+/.quakelive(/.*)?
188            /home/[^/]+/.macromedia(/.*)?
189            /home/[^/]+/.thunderbird(/.*)?
190            /home/[^/]+/.gcjwebplugin(/.*)?
191            /home/[^/]+/.grl-podcasts(/.*)?
192            /home/[^/]+/.cache/mozilla(/.*)?
193            /home/[^/]+/.icedteaplugin(/.*)?
194            /home/[^/]+/zimbrauserdata(/.*)?
195            /home/[^/]+/.juniper_networks(/.*)?
196            /home/[^/]+/.cache/icedtea-web(/.*)?
197            /home/[^/]+/abc
198            /home/[^/]+/mozilla.pdf
199            /home/[^/]+/.gnashpluginrc
200
201       mozilla_tmp_t
202
203
204       mozilla_tmpfs_t
205
206
207       nfs_t
208
209
210       pulseaudio_home_t
211
212            /root/.pulse(/.*)?
213            /root/.config/pulse(/.*)?
214            /root/.esd_auth
215            /root/.pulse-cookie
216            /home/[^/]+/.pulse(/.*)?
217            /home/[^/]+/.config/pulse(/.*)?
218            /home/[^/]+/.esd_auth
219            /home/[^/]+/.pulse-cookie
220
221       user_fonts_cache_t
222
223            /root/.fontconfig(/.*)?
224            /root/.fonts/auto(/.*)?
225            /root/.fonts.cache-.*
226            /home/[^/]+/.fontconfig(/.*)?
227            /home/[^/]+/.fonts/auto(/.*)?
228            /home/[^/]+/.fonts.cache-.*
229
230       xserver_tmpfs_t
231
232
233

FILE CONTEXTS

235       SELinux requires files to have an extended attribute to define the file
236       type.
237
238       You can see the context of a file using the -Z option to ls
239
240       Policy  governs  the  access  confined  processes  have to these files.
241       SELinux mozilla policy is very flexible allowing users to  setup  their
242       mozilla processes in as secure a method as possible.
243
244       STANDARD FILE CONTEXT
245
246       SELinux  defines  the file context types for the mozilla, if you wanted
247       to store files with these types in a diffent paths, you need to execute
248       the  semanage  command  to  sepecify  alternate  labeling  and then use
249       restorecon to put the labels on disk.
250
251       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
252       restorecon -R -v /srv/mymozilla_content
253
254       Note: SELinux often uses regular expressions  to  specify  labels  that
255       match multiple files.
256
257       The following file types are defined for mozilla:
258
259
260
261       mozilla_conf_t
262
263       -  Set  files  with  the  mozilla_conf_t type, if you want to treat the
264       files as mozilla configuration data,  usually  stored  under  the  /etc
265       directory.
266
267
268
269       mozilla_exec_t
270
271       -  Set files with the mozilla_exec_t type, if you want to transition an
272       executable to the mozilla_t domain.
273
274
275       Paths:
276            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
277            fox[^/]*/firefox-bin,  /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
278            fox[^/]*/mozilla-.*,             /usr/lib/mozilla[^/]*/mozilla-.*,
279            /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
280            nicator-smotif.real,                 /usr/bin/mozilla-bin-[0-9].*,
281            /usr/bin/mozilla,       /usr/bin/epiphany,      /usr/bin/netscape,
282            /usr/bin/epiphany-bin,  /usr/lib/galeon/galeon,  /usr/bin/mozilla-
283            snapshot, /usr/lib/netscape/base-4/wrapper
284
285
286       mozilla_home_t
287
288       -  Set files with the mozilla_home_t type, if you want to store mozilla
289       files in the users home directory.
290
291
292       Paths:
293            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
294            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
295            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.IBMERS(/.*)?,
296            /home/[^/]+/.galeon(/.*)?,              /home/[^/]+/.spicec(/.*)?,
297            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.icedtea(/.*)?,
298            /home/[^/]+/.mozilla(/.*)?,            /home/[^/]+/.phoenix(/.*)?,
299            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.ICAClient(/.*)?,
300            /home/[^/]+/.quakelive(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
301            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
302            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
303            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
304            data(/.*)?,                   /home/[^/]+/.juniper_networks(/.*)?,
305            /home/[^/]+/.cache/icedtea-web(/.*)?,             /home/[^/]+/abc,
306            /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
307
308
309       mozilla_plugin_config_exec_t
310
311       -  Set files with the mozilla_plugin_config_exec_t type, if you want to
312       transition an executable to the mozilla_plugin_config_t domain.
313
314
315
316       mozilla_plugin_exec_t
317
318       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
319       tion an executable to the mozilla_plugin_t domain.
320
321
322       Paths:
323            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
324            per/npviewer.bin, /usr/bin/nspluginscan,  /usr/bin/nspluginviewer,
325            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
326            tainer
327
328
329       mozilla_plugin_rw_t
330
331       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
332       files as mozilla plugin read/write content.
333
334
335
336       mozilla_plugin_tmp_t
337
338       -  Set  files  with the mozilla_plugin_tmp_t type, if you want to store
339       mozilla plugin temporary files in the /tmp directories.
340
341
342
343       mozilla_plugin_tmpfs_t
344
345       - Set files with the mozilla_plugin_tmpfs_t type, if you want to  store
346       mozilla plugin files on a tmpfs file system.
347
348
349
350       mozilla_tmp_t
351
352       -  Set  files with the mozilla_tmp_t type, if you want to store mozilla
353       temporary files in the /tmp directories.
354
355
356
357       mozilla_tmpfs_t
358
359       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
360       files on a tmpfs file system.
361
362
363
364       Note:  File context can be temporarily modified with the chcon command.
365       If you want to permanently change the file context you need to use  the
366       semanage fcontext command.  This will modify the SELinux labeling data‐
367       base.  You will need to use restorecon to apply the labels.
368
369

COMMANDS

371       semanage fcontext can also be used to manipulate default  file  context
372       mappings.
373
374       semanage  permissive  can  also  be used to manipulate whether or not a
375       process type is permissive.
376
377       semanage module can also be used to enable/disable/install/remove  pol‐
378       icy modules.
379
380       semanage boolean can also be used to manipulate the booleans
381
382
383       system-config-selinux is a GUI tool available to customize SELinux pol‐
384       icy settings.
385
386

AUTHOR

388       This manual page was auto-generated using sepolicy manpage .
389
390