mozilla_selinux(8)

1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/mozilla[^/]*/mozilla-.*,
32       /usr/lib/firefox[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/netscape,
35       /usr/bin/epiphany,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to allow users to resolve user passwd entries directly from
75       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
76       gin_nsswitch_use_ldap boolean. Disabled by default.
77
78       setsebool -P authlogin_nsswitch_use_ldap 1
79
80
81
82       If you want to deny user domains applications to map a memory region as
83       both  executable  and  writable,  this  is dangerous and the executable
84       should be reported in bugzilla, you must turn on the deny_execmem bool‐
85       ean. Enabled by default.
86
87       setsebool -P deny_execmem 1
88
89
90
91       If  you  want  to deny any process from ptracing or debugging any other
92       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
93       default.
94
95       setsebool -P deny_ptrace 1
96
97
98
99       If  you  want  to  allow  any  process  to mmap any file on system with
100       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
101       ean. Enabled by default.
102
103       setsebool -P domain_can_mmap_files 1
104
105
106
107       If  you want to allow all domains write to kmsg_device, while kernel is
108       executed with systemd.log_target=kmsg parameter, you must turn  on  the
109       domain_can_write_kmsg boolean. Disabled by default.
110
111       setsebool -P domain_can_write_kmsg 1
112
113
114
115       If you want to allow all domains to use other domains file descriptors,
116       you must turn on the domain_fd_use boolean. Enabled by default.
117
118       setsebool -P domain_fd_use 1
119
120
121
122       If you want to allow all domains to have the kernel load  modules,  you
123       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
124       default.
125
126       setsebool -P domain_kernel_load_modules 1
127
128
129
130       If you want to allow all domains to execute in fips_mode, you must turn
131       on the fips_mode boolean. Enabled by default.
132
133       setsebool -P fips_mode 1
134
135
136
137       If you want to enable reading of urandom for all domains, you must turn
138       on the global_ssp boolean. Disabled by default.
139
140       setsebool -P global_ssp 1
141
142
143
144       If you want to allow confined applications to run  with  kerberos,  you
145       must turn on the kerberos_enabled boolean. Enabled by default.
146
147       setsebool -P kerberos_enabled 1
148
149
150
151       If  you  want  to  allow  system  to run with NIS, you must turn on the
152       nis_enabled boolean. Disabled by default.
153
154       setsebool -P nis_enabled 1
155
156
157
158       If you want to allow confined applications to use nscd  shared  memory,
159       you must turn on the nscd_use_shm boolean. Disabled by default.
160
161       setsebool -P nscd_use_shm 1
162
163
164
165       If  you  want to allow regular users direct dri device access, you must
166       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
167
168       setsebool -P selinuxuser_direct_dri_enabled 1
169
170
171
172       If you want to allow unconfined executables to make  their  stack  exe‐
173       cutable.   This  should  never, ever be necessary. Probably indicates a
174       badly coded executable, but could indicate an attack.  This  executable
175       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
176       stack boolean. Enabled by default.
177
178       setsebool -P selinuxuser_execstack 1
179
180
181
182       If you want to support ecryptfs home directories, you must turn on  the
183       use_ecryptfs_home_dirs boolean. Disabled by default.
184
185       setsebool -P use_ecryptfs_home_dirs 1
186
187
188
189       If  you  want  to support fusefs home directories, you must turn on the
190       use_fusefs_home_dirs boolean. Disabled by default.
191
192       setsebool -P use_fusefs_home_dirs 1
193
194
195
196       If you want to support NFS home  directories,  you  must  turn  on  the
197       use_nfs_home_dirs boolean. Disabled by default.
198
199       setsebool -P use_nfs_home_dirs 1
200
201
202
203       If  you  want  to  support SAMBA home directories, you must turn on the
204       use_samba_home_dirs boolean. Disabled by default.
205
206       setsebool -P use_samba_home_dirs 1
207
208
209
210       If you want to allows clients to write to the X  server  shared  memory
211       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
212       abled by default.
213
214       setsebool -P xserver_clients_write_xshm 1
215
216
217
218       If you want to support X userspace object manager, you must turn on the
219       xserver_object_manager boolean. Enabled by default.
220
221       setsebool -P xserver_object_manager 1
222
223
224

MANAGED FILES

226       The  SELinux  process  type mozilla_t can manage files labeled with the
227       following file types.  The paths listed are the default paths for these
228       file types.  Note the processes UID still need to have DAC permissions.
229
230       cifs_t
231
232
233       ecryptfs_t
234
235            /home/[^/]+/.Private(/.*)?
236            /home/[^/]+/.ecryptfs(/.*)?
237
238       fusefs_t
239
240            /var/run/user/[^/]*/gvfs
241
242       gconf_home_t
243
244            /root/.local.*
245            /root/.gconf(d)?(/.*)?
246            /home/[^/]+/.local.*
247            /home/[^/]+/.gconf(d)?(/.*)?
248
249       gnome_home_type
250
251
252       mozilla_home_t
253
254            /home/[^/]+/.lyx(/.*)?
255            /home/[^/]+/.java(/.*)?
256            /home/[^/]+/.adobe(/.*)?
257            /home/[^/]+/.gnash(/.*)?
258            /home/[^/]+/.webex(/.*)?
259            /home/[^/]+/.galeon(/.*)?
260            /home/[^/]+/.spicec(/.*)?
261            /home/[^/]+/.IBMERS(/.*)?
262            /home/[^/]+/POkemon.*(/.*)?
263            /home/[^/]+/.mozilla(/.*)?
264            /home/[^/]+/.phoenix(/.*)?
265            /home/[^/]+/.icedtea(/.*)?
266            /home/[^/]+/.netscape(/.*)?
267            /home/[^/]+/.quakelive(/.*)?
268            /home/[^/]+/.ICAClient(/.*)?
269            /home/[^/]+/.macromedia(/.*)?
270            /home/[^/]+/.thunderbird(/.*)?
271            /home/[^/]+/.gcjwebplugin(/.*)?
272            /home/[^/]+/.grl-podcasts(/.*)?
273            /home/[^/]+/.cache/mozilla(/.*)?
274            /home/[^/]+/.icedteaplugin(/.*)?
275            /home/[^/]+/zimbrauserdata(/.*)?
276            /home/[^/]+/.config/chromium(/.*)?
277            /home/[^/]+/.juniper_networks(/.*)?
278            /home/[^/]+/.cache/icedtea-web(/.*)?
279            /home/[^/]+/abc
280            /home/[^/]+/mozilla.pdf
281            /home/[^/]+/.gnashpluginrc
282
283       mozilla_tmp_t
284
285
286       mozilla_tmpfs_t
287
288
289       nfs_t
290
291
292       pulseaudio_home_t
293
294            /root/.pulse(/.*)?
295            /root/.config/pulse(/.*)?
296            /root/.esd_auth
297            /root/.pulse-cookie
298            /home/[^/]+/.pulse(/.*)?
299            /home/[^/]+/.config/pulse(/.*)?
300            /home/[^/]+/.esd_auth
301            /home/[^/]+/.pulse-cookie
302
303       user_fonts_cache_t
304
305            /root/.fontconfig(/.*)?
306            /root/.fonts/auto(/.*)?
307            /root/.fonts.cache-.*
308            /home/[^/]+/.fontconfig(/.*)?
309            /home/[^/]+/.fonts/auto(/.*)?
310            /home/[^/]+/.fonts.cache-.*
311
312       xserver_tmpfs_t
313
314
315

FILE CONTEXTS

317       SELinux requires files to have an extended attribute to define the file
318       type.
319
320       You can see the context of a file using the -Z option to ls
321
322       Policy governs the access  confined  processes  have  to  these  files.
323       SELinux  mozilla  policy is very flexible allowing users to setup their
324       mozilla processes in as secure a method as possible.
325
326       STANDARD FILE CONTEXT
327
328       SELinux defines the file context types for the mozilla, if  you  wanted
329       to store files with these types in a diffent paths, you need to execute
330       the semanage command  to  sepecify  alternate  labeling  and  then  use
331       restorecon to put the labels on disk.
332
333       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
334       restorecon -R -v /srv/mymozilla_content
335
336       Note:  SELinux  often  uses  regular expressions to specify labels that
337       match multiple files.
338
339       The following file types are defined for mozilla:
340
341
342
343       mozilla_conf_t
344
345       - Set files with the mozilla_conf_t type, if  you  want  to  treat  the
346       files  as  mozilla  configuration  data,  usually stored under the /etc
347       directory.
348
349
350
351       mozilla_exec_t
352
353       - Set files with the mozilla_exec_t type, if you want to transition  an
354       executable to the mozilla_t domain.
355
356
357       Paths:
358            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
359            fox[^/]*/firefox-bin,                 /usr/lib/mozilla[^/]*/reg.+,
360            /usr/lib/mozilla[^/]*/mozilla-.*,                   /usr/lib/fire‐
361            fox[^/]*/mozilla-.*,    /usr/bin/mozilla-[0-9].*,    /usr/lib/net‐
362            scape/.+/communicator/communicator-smotif.real,  /usr/bin/mozilla-
363            bin-[0-9].*,         /usr/bin/mozilla,          /usr/bin/netscape,
364            /usr/bin/epiphany,  /usr/bin/epiphany-bin, /usr/lib/galeon/galeon,
365            /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
366
367
368       mozilla_home_t
369
370       - Set files with the mozilla_home_t type, if you want to store  mozilla
371       files in the users home directory.
372
373
374       Paths:
375            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
376            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
377            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.galeon(/.*)?,
378            /home/[^/]+/.spicec(/.*)?,              /home/[^/]+/.IBMERS(/.*)?,
379            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.mozilla(/.*)?,
380            /home/[^/]+/.phoenix(/.*)?,            /home/[^/]+/.icedtea(/.*)?,
381            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.quakelive(/.*)?,
382            /home/[^/]+/.ICAClient(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
383            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
384            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
385            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
386            data(/.*)?,                    /home/[^/]+/.config/chromium(/.*)?,
387            /home/[^/]+/.juniper_networks(/.*)?,   /home/[^/]+/.cache/icedtea-
388            web(/.*)?,        /home/[^/]+/abc,        /home/[^/]+/mozilla.pdf,
389            /home/[^/]+/.gnashpluginrc
390
391
392       mozilla_plugin_config_exec_t
393
394       -  Set files with the mozilla_plugin_config_exec_t type, if you want to
395       transition an executable to the mozilla_plugin_config_t domain.
396
397
398
399       mozilla_plugin_exec_t
400
401       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
402       tion an executable to the mozilla_plugin_t domain.
403
404
405       Paths:
406            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
407            per/npviewer.bin, /usr/bin/nspluginscan,  /usr/bin/nspluginviewer,
408            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
409            tainer
410
411
412       mozilla_plugin_rw_t
413
414       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
415       files as mozilla plugin read/write content.
416
417
418
419       mozilla_plugin_tmp_t
420
421       -  Set  files  with the mozilla_plugin_tmp_t type, if you want to store
422       mozilla plugin temporary files in the /tmp directories.
423
424
425
426       mozilla_plugin_tmpfs_t
427
428       - Set files with the mozilla_plugin_tmpfs_t type, if you want to  store
429       mozilla plugin files on a tmpfs file system.
430
431
432
433       mozilla_tmp_t
434
435       -  Set  files with the mozilla_tmp_t type, if you want to store mozilla
436       temporary files in the /tmp directories.
437
438
439
440       mozilla_tmpfs_t
441
442       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
443       files on a tmpfs file system.
444
445
446
447       Note:  File context can be temporarily modified with the chcon command.
448       If you want to permanently change the file context you need to use  the
449       semanage fcontext command.  This will modify the SELinux labeling data‐
450       base.  You will need to use restorecon to apply the labels.
451
452

COMMANDS

454       semanage fcontext can also be used to manipulate default  file  context
455       mappings.
456
457       semanage  permissive  can  also  be used to manipulate whether or not a
458       process type is permissive.
459
460       semanage module can also be used to enable/disable/install/remove  pol‐
461       icy modules.
462
463       semanage boolean can also be used to manipulate the booleans
464
465
466       system-config-selinux is a GUI tool available to customize SELinux pol‐
467       icy settings.
468
469

AUTHOR

471       This manual page was auto-generated using sepolicy manpage .
472
473