1mozilla_plugin_selinux(8)SELinux Policy mozilla_pluginmozilla_plugin_selinux(8)
2
3
4
6 mozilla_plugin_selinux - Security Enhanced Linux Policy for the
7 mozilla_plugin processes
8
10 Security-Enhanced Linux secures the mozilla_plugin processes via flexi‐
11 ble mandatory access control.
12
13 The mozilla_plugin processes execute with the mozilla_plugin_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep mozilla_plugin_t
20
21
22
24 The mozilla_plugin_t SELinux type can be entered via the mozilla_plug‐
25 in_exec_t file type.
26
27 The default entrypoint paths for the mozilla_plugin_t domain are the
28 following:
29
30 /usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrap‐
31 per/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
32 /usr/libexec/WebKitPluginProcess, /usr/lib/firefox/plugin-container
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 mozilla_plugin policy is very flexible allowing users to setup their
42 mozilla_plugin processes in as secure a method as possible.
43
44 The following process types are defined for mozilla_plugin:
45
46 mozilla_plugin_t, mozilla_plugin_config_t
47
48 Note: semanage permissive -a mozilla_plugin_t can be used to make the
49 process type mozilla_plugin_t permissive. SELinux does not deny access
50 to permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required.
56 mozilla_plugin policy is extremely flexible and has several booleans
57 that allow you to manipulate the policy and run mozilla_plugin with the
58 tightest access possible.
59
60
61
62 If you want to allow mozilla plugin domain to bind unreserved tcp/udp
63 ports, you must turn on the mozilla_plugin_bind_unreserved_ports bool‐
64 ean. Disabled by default.
65
66 setsebool -P mozilla_plugin_bind_unreserved_ports 1
67
68
69
70 If you want to allow mozilla plugin domain to connect to the network
71 using TCP, you must turn on the mozilla_plugin_can_network_connect
72 boolean. Enabled by default.
73
74 setsebool -P mozilla_plugin_can_network_connect 1
75
76
77
78 If you want to allow mozilla plugin to use Bluejeans, you must turn on
79 the mozilla_plugin_use_bluejeans boolean. Disabled by default.
80
81 setsebool -P mozilla_plugin_use_bluejeans 1
82
83
84
85 If you want to allow mozilla plugin to support GPS, you must turn on
86 the mozilla_plugin_use_gps boolean. Disabled by default.
87
88 setsebool -P mozilla_plugin_use_gps 1
89
90
91
92 If you want to allow mozilla plugin to support spice protocols, you
93 must turn on the mozilla_plugin_use_spice boolean. Disabled by default.
94
95 setsebool -P mozilla_plugin_use_spice 1
96
97
98
99 If you want to allow users to resolve user passwd entries directly from
100 ldap rather then using a sssd server, you must turn on the authlo‐
101 gin_nsswitch_use_ldap boolean. Disabled by default.
102
103 setsebool -P authlogin_nsswitch_use_ldap 1
104
105
106
107 If you want to deny all system processes and Linux users to use blue‐
108 tooth wireless technology, you must turn on the deny_bluetooth boolean.
109 Enabled by default.
110
111 setsebool -P deny_bluetooth 1
112
113
114
115 If you want to allow all domains to execute in fips_mode, you must turn
116 on the fips_mode boolean. Enabled by default.
117
118 setsebool -P fips_mode 1
119
120
121
122 If you want to allow confined applications to run with kerberos, you
123 must turn on the kerberos_enabled boolean. Enabled by default.
124
125 setsebool -P kerberos_enabled 1
126
127
128
129 If you want to allow system to run with NIS, you must turn on the
130 nis_enabled boolean. Disabled by default.
131
132 setsebool -P nis_enabled 1
133
134
135
136 If you want to allow confined applications to use nscd shared memory,
137 you must turn on the nscd_use_shm boolean. Disabled by default.
138
139 setsebool -P nscd_use_shm 1
140
141
142
143 If you want to allow all unconfined executables to use libraries
144 requiring text relocation that are not labeled textrel_shlib_t, you
145 must turn on the selinuxuser_execmod boolean. Enabled by default.
146
147 setsebool -P selinuxuser_execmod 1
148
149
150
151 If you want to allow unconfined users to transition to the Mozilla
152 plugin domain when running xulrunner plugin-container, you must turn on
153 the unconfined_mozilla_plugin_transition boolean. Enabled by default.
154
155 setsebool -P unconfined_mozilla_plugin_transition 1
156
157
158
159 If you want to support NFS home directories, you must turn on the
160 use_nfs_home_dirs boolean. Disabled by default.
161
162 setsebool -P use_nfs_home_dirs 1
163
164
165
166 If you want to support SAMBA home directories, you must turn on the
167 use_samba_home_dirs boolean. Disabled by default.
168
169 setsebool -P use_samba_home_dirs 1
170
171
172
174 The SELinux process type mozilla_plugin_t can manage files labeled with
175 the following file types. The paths listed are the default paths for
176 these file types. Note the processes UID still need to have DAC per‐
177 missions.
178
179 cifs_t
180
181
182 dosfs_t
183
184
185 ecryptfs_t
186
187 /home/[^/]+/.Private(/.*)?
188 /home/[^/]+/.ecryptfs(/.*)?
189
190 fusefs_t
191
192 /var/run/user/[^/]*/gvfs
193
194 gnome_home_type
195
196
197 home_cert_t
198
199 /root/.pki(/.*)?
200 /root/.cert(/.*)?
201 /home/[^/]+/.pki(/.*)?
202 /home/[^/]+/.cert(/.*)?
203 /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
204 /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
205
206 mozilla_home_t
207
208 /home/[^/]+/.lyx(/.*)?
209 /home/[^/]+/.java(/.*)?
210 /home/[^/]+/.adobe(/.*)?
211 /home/[^/]+/.gnash(/.*)?
212 /home/[^/]+/.webex(/.*)?
213 /home/[^/]+/.IBMERS(/.*)?
214 /home/[^/]+/.galeon(/.*)?
215 /home/[^/]+/.spicec(/.*)?
216 /home/[^/]+/POkemon.*(/.*)?
217 /home/[^/]+/.icedtea(/.*)?
218 /home/[^/]+/.mozilla(/.*)?
219 /home/[^/]+/.phoenix(/.*)?
220 /home/[^/]+/.netscape(/.*)?
221 /home/[^/]+/.ICAClient(/.*)?
222 /home/[^/]+/.quakelive(/.*)?
223 /home/[^/]+/.macromedia(/.*)?
224 /home/[^/]+/.thunderbird(/.*)?
225 /home/[^/]+/.gcjwebplugin(/.*)?
226 /home/[^/]+/.grl-podcasts(/.*)?
227 /home/[^/]+/.cache/mozilla(/.*)?
228 /home/[^/]+/.icedteaplugin(/.*)?
229 /home/[^/]+/zimbrauserdata(/.*)?
230 /home/[^/]+/.juniper_networks(/.*)?
231 /home/[^/]+/.cache/icedtea-web(/.*)?
232 /home/[^/]+/abc
233 /home/[^/]+/mozilla.pdf
234 /home/[^/]+/.gnashpluginrc
235
236 mozilla_plugin_tmp_t
237
238
239 mozilla_plugin_tmpfs_t
240
241
242 mplayer_home_t
243
244 /home/[^/]+/.mplayer(/.*)?
245
246 nfs_t
247
248
249 pulseaudio_home_t
250
251 /root/.pulse(/.*)?
252 /root/.config/pulse(/.*)?
253 /root/.esd_auth
254 /root/.pulse-cookie
255 /home/[^/]+/.pulse(/.*)?
256 /home/[^/]+/.config/pulse(/.*)?
257 /home/[^/]+/.esd_auth
258 /home/[^/]+/.pulse-cookie
259
260 texlive_home_t
261
262 /home/[^/]+/.texlive2012(/.*)?
263 /home/[^/]+/.texlive2013(/.*)?
264 /home/[^/]+/.texlive2014(/.*)?
265
266 user_fonts_cache_t
267
268 /root/.fontconfig(/.*)?
269 /root/.fonts/auto(/.*)?
270 /root/.fonts.cache-.*
271 /root/.cache/fontconfig(/.*)?
272 /home/[^/]+/.fontconfig(/.*)?
273 /home/[^/]+/.fonts/auto(/.*)?
274 /home/[^/]+/.fonts.cache-.*
275 /home/[^/]+/.cache/fontconfig(/.*)?
276
277 user_tmp_t
278
279 /dev/shm/mono.*
280 /var/run/user(/.*)?
281 /tmp/.ICE-unix(/.*)?
282 /tmp/.X11-unix(/.*)?
283 /dev/shm/pulse-shm.*
284 /tmp/.X0-lock
285 /tmp/hsperfdata_root
286 /var/tmp/hsperfdata_root
287 /home/[^/]+/tmp
288 /home/[^/]+/.tmp
289 /tmp/gconfd-[^/]+
290
291
293 SELinux requires files to have an extended attribute to define the file
294 type.
295
296 You can see the context of a file using the -Z option to ls
297
298 Policy governs the access confined processes have to these files.
299 SELinux mozilla_plugin policy is very flexible allowing users to setup
300 their mozilla_plugin processes in as secure a method as possible.
301
302 STANDARD FILE CONTEXT
303
304 SELinux defines the file context types for the mozilla_plugin, if you
305 wanted to store files with these types in a diffent paths, you need to
306 execute the semanage command to sepecify alternate labeling and then
307 use restorecon to put the labels on disk.
308
309 semanage fcontext -a -t mozilla_plugin_rw_t '/srv/mymozilla_plugin_con‐
310 tent(/.*)?'
311 restorecon -R -v /srv/mymozilla_plugin_content
312
313 Note: SELinux often uses regular expressions to specify labels that
314 match multiple files.
315
316 The following file types are defined for mozilla_plugin:
317
318
319
320 mozilla_plugin_config_exec_t
321
322 - Set files with the mozilla_plugin_config_exec_t type, if you want to
323 transition an executable to the mozilla_plugin_config_t domain.
324
325
326
327 mozilla_plugin_exec_t
328
329 - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
330 tion an executable to the mozilla_plugin_t domain.
331
332
333 Paths:
334 /usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrap‐
335 per/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
336 /usr/libexec/WebKitPluginProcess, /usr/lib/firefox/plugin-con‐
337 tainer
338
339
340 mozilla_plugin_rw_t
341
342 - Set files with the mozilla_plugin_rw_t type, if you want to treat the
343 files as mozilla plugin read/write content.
344
345
346
347 mozilla_plugin_tmp_t
348
349 - Set files with the mozilla_plugin_tmp_t type, if you want to store
350 mozilla plugin temporary files in the /tmp directories.
351
352
353
354 mozilla_plugin_tmpfs_t
355
356 - Set files with the mozilla_plugin_tmpfs_t type, if you want to store
357 mozilla plugin files on a tmpfs file system.
358
359
360
361 Note: File context can be temporarily modified with the chcon command.
362 If you want to permanently change the file context you need to use the
363 semanage fcontext command. This will modify the SELinux labeling data‐
364 base. You will need to use restorecon to apply the labels.
365
366
368 semanage fcontext can also be used to manipulate default file context
369 mappings.
370
371 semanage permissive can also be used to manipulate whether or not a
372 process type is permissive.
373
374 semanage module can also be used to enable/disable/install/remove pol‐
375 icy modules.
376
377 semanage boolean can also be used to manipulate the booleans
378
379
380 system-config-selinux is a GUI tool available to customize SELinux pol‐
381 icy settings.
382
383
385 This manual page was auto-generated using sepolicy manpage .
386
387
389 selinux(8), mozilla_plugin(8), semanage(8), restorecon(8), chcon(1),
390 sepolicy(8), setsebool(8), mozilla_plugin_config_selinux(8),
391 mozilla_plugin_config_selinux(8)
392
393
394
395mozilla_plugin 19-06-18 mozilla_plugin_selinux(8)