1mozilla_plugin_config_SsEeLliinnuuxx(P8o)licy mozilla_plumgoizni_lcloan_fpilgugin_config_selinux(8)
2
3
4
6 mozilla_plugin_config_selinux - Security Enhanced Linux Policy for the
7 mozilla_plugin_config processes
8
10 Security-Enhanced Linux secures the mozilla_plugin_config processes via
11 flexible mandatory access control.
12
13 The mozilla_plugin_config processes execute with the mozilla_plug‐
14 in_config_t SELinux type. You can check if you have these processes
15 running by executing the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep mozilla_plugin_config_t
20
21
22
24 The mozilla_plugin_config_t SELinux type can be entered via the
25 mozilla_plugin_config_exec_t file type.
26
27 The default entrypoint paths for the mozilla_plugin_config_t domain are
28 the following:
29
30
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 mozilla_plugin_config policy is very flexible allowing users to setup
40 their mozilla_plugin_config processes in as secure a method as possi‐
41 ble.
42
43 The following process types are defined for mozilla_plugin_config:
44
45 mozilla_plugin_config_t
46
47 Note: semanage permissive -a mozilla_plugin_config_t can be used to
48 make the process type mozilla_plugin_config_t permissive. SELinux does
49 not deny access to permissive process types, but the AVC (SELinux
50 denials) messages are still generated.
51
52
54 SELinux policy is customizable based on least access required.
55 mozilla_plugin_config policy is extremely flexible and has several
56 booleans that allow you to manipulate the policy and run mozilla_plug‐
57 in_config with the tightest access possible.
58
59
60
61 If you want to allow all domains to use other domains file descriptors,
62 you must turn on the allow_domain_fd_use boolean. Enabled by default.
63
64 setsebool -P allow_domain_fd_use 1
65
66
67
68 If you want to allow confined applications to run with kerberos, you
69 must turn on the allow_kerberos boolean. Enabled by default.
70
71 setsebool -P allow_kerberos 1
72
73
74
75 If you want to allow sysadm to debug or ptrace all processes, you must
76 turn on the allow_ptrace boolean. Disabled by default.
77
78 setsebool -P allow_ptrace 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 allow_ypbind boolean. Disabled by default.
84
85 setsebool -P allow_ypbind 1
86
87
88
89 If you want to allow all domains to have the kernel load modules, you
90 must turn on the domain_kernel_load_modules boolean. Disabled by
91 default.
92
93 setsebool -P domain_kernel_load_modules 1
94
95
96
97 If you want to allow all domains to execute in fips_mode, you must turn
98 on the fips_mode boolean. Enabled by default.
99
100 setsebool -P fips_mode 1
101
102
103
104 If you want to enable reading of urandom for all domains, you must turn
105 on the global_ssp boolean. Disabled by default.
106
107 setsebool -P global_ssp 1
108
109
110
111 If you want to allow confined applications to use nscd shared memory,
112 you must turn on the nscd_use_shm boolean. Enabled by default.
113
114 setsebool -P nscd_use_shm 1
115
116
117
119 The SELinux process type mozilla_plugin_config_t can manage files
120 labeled with the following file types. The paths listed are the
121 default paths for these file types. Note the processes UID still need
122 to have DAC permissions.
123
124 initrc_tmp_t
125
126
127 mnt_t
128
129 /mnt(/[^/]*)
130 /mnt(/[^/]*)?
131 /rhev(/[^/]*)?
132 /media(/[^/]*)
133 /media(/[^/]*)?
134 /etc/rhgb(/.*)?
135 /media/.hal-.*
136 /net
137 /afs
138 /rhev
139 /misc
140
141 mozilla_home_t
142
143 /home/[^/]*/.java(/.*)?
144 /home/[^/]*/.galeon(/.*)?
145 /home/[^/]*/.mozilla(/.*)?
146 /home/[^/]*/.phoenix(/.*)?
147 /home/[^/]*/.netscape(/.*)?
148 /home/[^/]*/.thunderbird(/.*)?
149 /home/staff/.java(/.*)?
150 /home/staff/.galeon(/.*)?
151 /home/staff/.mozilla(/.*)?
152 /home/staff/.phoenix(/.*)?
153 /home/staff/.netscape(/.*)?
154 /home/staff/.thunderbird(/.*)?
155
156 mozilla_plugin_rw_t
157
158
159 tmp_t
160
161 /tmp
162 /usr/tmp
163 /var/tmp
164 /tmp-inst
165 /var/tmp-inst
166 /var/tmp/vi.recover
167
168 user_fonts_cache_t
169
170 /home/[^/]*/.fonts/auto(/.*)?
171 /home/[^/]*/.fontconfig(/.*)?
172 /home/[^/]*/.fonts.cache-.*
173 /home/staff/.fonts/auto(/.*)?
174 /home/staff/.fontconfig(/.*)?
175 /home/staff/.fonts.cache-.*
176
177
179 semanage fcontext can also be used to manipulate default file context
180 mappings.
181
182 semanage permissive can also be used to manipulate whether or not a
183 process type is permissive.
184
185 semanage module can also be used to enable/disable/install/remove pol‐
186 icy modules.
187
188 semanage boolean can also be used to manipulate the booleans
189
190
191 system-config-selinux is a GUI tool available to customize SELinux pol‐
192 icy settings.
193
194
196 This manual page was auto-generated using sepolicy manpage .
197
198
200 selinux(8), mozilla_plugin_config(8), semanage(8), restorecon(8),
201 chcon(1) , setsebool(8)
202
203
204
205mozilla_plugin_config 15-06-03 mozilla_plugin_config_selinux(8)