1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/firefox[^/]*/mozilla-.*,
32       /usr/lib/mozilla[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/epiphany,
35       /usr/bin/netscape,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to allow users to resolve user passwd entries directly from
75       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
76       gin_nsswitch_use_ldap boolean. Disabled by default.
77
78       setsebool -P authlogin_nsswitch_use_ldap 1
79
80
81
82       If you want to deny user domains applications to map a memory region as
83       both  executable  and  writable,  this  is dangerous and the executable
84       should be reported in bugzilla, you must turn on the deny_execmem bool‐
85       ean. Enabled by default.
86
87       setsebool -P deny_execmem 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If you want to allow confined applications to run  with  kerberos,  you
99       must turn on the kerberos_enabled boolean. Enabled by default.
100
101       setsebool -P kerberos_enabled 1
102
103
104
105       If  you  want  to  allow  system  to run with NIS, you must turn on the
106       nis_enabled boolean. Disabled by default.
107
108       setsebool -P nis_enabled 1
109
110
111
112       If you want to allow confined applications to use nscd  shared  memory,
113       you must turn on the nscd_use_shm boolean. Disabled by default.
114
115       setsebool -P nscd_use_shm 1
116
117
118
119       If  you  want to allow regular users direct dri device access, you must
120       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
121
122       setsebool -P selinuxuser_direct_dri_enabled 1
123
124
125
126       If you want to allow unconfined executables to make  their  stack  exe‐
127       cutable.   This  should  never, ever be necessary. Probably indicates a
128       badly coded executable, but could indicate an attack.  This  executable
129       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
130       stack boolean. Enabled by default.
131
132       setsebool -P selinuxuser_execstack 1
133
134
135
136       If you want to allows clients to write to the X  server  shared  memory
137       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
138       abled by default.
139
140       setsebool -P xserver_clients_write_xshm 1
141
142
143

MANAGED FILES

145       The SELinux process type mozilla_t can manage files  labeled  with  the
146       following file types.  The paths listed are the default paths for these
147       file types.  Note the processes UID still need to have DAC permissions.
148
149       cifs_t
150
151
152       ecryptfs_t
153
154            /home/[^/]+/.Private(/.*)?
155            /home/[^/]+/.ecryptfs(/.*)?
156
157       fusefs_t
158
159            /var/run/user/[^/]*/gvfs
160
161       gconf_home_t
162
163            /root/.local.*
164            /root/.gconf(d)?(/.*)?
165            /home/[^/]+/.local.*
166            /home/[^/]+/.gconf(d)?(/.*)?
167
168       gnome_home_type
169
170
171       mozilla_home_t
172
173            /home/[^/]+/.lyx(/.*)?
174            /home/[^/]+/.java(/.*)?
175            /home/[^/]+/.adobe(/.*)?
176            /home/[^/]+/.gnash(/.*)?
177            /home/[^/]+/.webex(/.*)?
178            /home/[^/]+/.IBMERS(/.*)?
179            /home/[^/]+/.galeon(/.*)?
180            /home/[^/]+/.spicec(/.*)?
181            /home/[^/]+/POkemon.*(/.*)?
182            /home/[^/]+/.icedtea(/.*)?
183            /home/[^/]+/.mozilla(/.*)?
184            /home/[^/]+/.phoenix(/.*)?
185            /home/[^/]+/.netscape(/.*)?
186            /home/[^/]+/.ICAClient(/.*)?
187            /home/[^/]+/.quakelive(/.*)?
188            /home/[^/]+/.macromedia(/.*)?
189            /home/[^/]+/.thunderbird(/.*)?
190            /home/[^/]+/.gcjwebplugin(/.*)?
191            /home/[^/]+/.grl-podcasts(/.*)?
192            /home/[^/]+/.cache/mozilla(/.*)?
193            /home/[^/]+/.icedteaplugin(/.*)?
194            /home/[^/]+/zimbrauserdata(/.*)?
195            /home/[^/]+/.juniper_networks(/.*)?
196            /home/[^/]+/.cache/icedtea-web(/.*)?
197            /home/[^/]+/abc
198            /home/[^/]+/mozilla.pdf
199            /home/[^/]+/.gnashpluginrc
200
201       mozilla_tmp_t
202
203
204       mozilla_tmpfs_t
205
206
207       nfs_t
208
209
210       pulseaudio_home_t
211
212            /root/.pulse(/.*)?
213            /root/.config/pulse(/.*)?
214            /root/.esd_auth
215            /root/.pulse-cookie
216            /home/[^/]+/.pulse(/.*)?
217            /home/[^/]+/.config/pulse(/.*)?
218            /home/[^/]+/.esd_auth
219            /home/[^/]+/.pulse-cookie
220
221       user_fonts_cache_t
222
223            /root/.fontconfig(/.*)?
224            /root/.fonts/auto(/.*)?
225            /root/.fonts.cache-.*
226            /root/.cache/fontconfig(/.*)?
227            /home/[^/]+/.fontconfig(/.*)?
228            /home/[^/]+/.fonts/auto(/.*)?
229            /home/[^/]+/.fonts.cache-.*
230            /home/[^/]+/.cache/fontconfig(/.*)?
231
232       xserver_tmpfs_t
233
234
235

FILE CONTEXTS

237       SELinux requires files to have an extended attribute to define the file
238       type.
239
240       You can see the context of a file using the -Z option to ls
241
242       Policy  governs  the  access  confined  processes  have to these files.
243       SELinux mozilla policy is very flexible allowing users to  setup  their
244       mozilla processes in as secure a method as possible.
245
246       STANDARD FILE CONTEXT
247
248       SELinux  defines  the file context types for the mozilla, if you wanted
249       to store files with these types in a diffent paths, you need to execute
250       the  semanage  command  to  sepecify  alternate  labeling  and then use
251       restorecon to put the labels on disk.
252
253       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
254       restorecon -R -v /srv/mymozilla_content
255
256       Note: SELinux often uses regular expressions  to  specify  labels  that
257       match multiple files.
258
259       The following file types are defined for mozilla:
260
261
262
263       mozilla_conf_t
264
265       -  Set  files  with  the  mozilla_conf_t type, if you want to treat the
266       files as mozilla configuration data,  usually  stored  under  the  /etc
267       directory.
268
269
270
271       mozilla_exec_t
272
273       -  Set files with the mozilla_exec_t type, if you want to transition an
274       executable to the mozilla_t domain.
275
276
277       Paths:
278            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
279            fox[^/]*/firefox-bin,  /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
280            fox[^/]*/mozilla-.*,             /usr/lib/mozilla[^/]*/mozilla-.*,
281            /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
282            nicator-smotif.real,                 /usr/bin/mozilla-bin-[0-9].*,
283            /usr/bin/mozilla,       /usr/bin/epiphany,      /usr/bin/netscape,
284            /usr/bin/epiphany-bin,  /usr/lib/galeon/galeon,  /usr/bin/mozilla-
285            snapshot, /usr/lib/netscape/base-4/wrapper
286
287
288       mozilla_home_t
289
290       -  Set files with the mozilla_home_t type, if you want to store mozilla
291       files in the users home directory.
292
293
294       Paths:
295            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
296            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
297            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.IBMERS(/.*)?,
298            /home/[^/]+/.galeon(/.*)?,              /home/[^/]+/.spicec(/.*)?,
299            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.icedtea(/.*)?,
300            /home/[^/]+/.mozilla(/.*)?,            /home/[^/]+/.phoenix(/.*)?,
301            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.ICAClient(/.*)?,
302            /home/[^/]+/.quakelive(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
303            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
304            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
305            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
306            data(/.*)?,                   /home/[^/]+/.juniper_networks(/.*)?,
307            /home/[^/]+/.cache/icedtea-web(/.*)?,             /home/[^/]+/abc,
308            /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
309
310
311       mozilla_plugin_config_exec_t
312
313       -  Set files with the mozilla_plugin_config_exec_t type, if you want to
314       transition an executable to the mozilla_plugin_config_t domain.
315
316
317
318       mozilla_plugin_exec_t
319
320       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
321       tion an executable to the mozilla_plugin_t domain.
322
323
324       Paths:
325            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
326            per/npviewer.bin, /usr/bin/nspluginscan,  /usr/bin/nspluginviewer,
327            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
328            tainer
329
330
331       mozilla_plugin_rw_t
332
333       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
334       files as mozilla plugin read/write content.
335
336
337
338       mozilla_plugin_tmp_t
339
340       -  Set  files  with the mozilla_plugin_tmp_t type, if you want to store
341       mozilla plugin temporary files in the /tmp directories.
342
343
344
345       mozilla_plugin_tmpfs_t
346
347       - Set files with the mozilla_plugin_tmpfs_t type, if you want to  store
348       mozilla plugin files on a tmpfs file system.
349
350
351
352       mozilla_tmp_t
353
354       -  Set  files with the mozilla_tmp_t type, if you want to store mozilla
355       temporary files in the /tmp directories.
356
357
358
359       mozilla_tmpfs_t
360
361       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
362       files on a tmpfs file system.
363
364
365
366       Note:  File context can be temporarily modified with the chcon command.
367       If you want to permanently change the file context you need to use  the
368       semanage fcontext command.  This will modify the SELinux labeling data‐
369       base.  You will need to use restorecon to apply the labels.
370
371

COMMANDS

373       semanage fcontext can also be used to manipulate default  file  context
374       mappings.
375
376       semanage  permissive  can  also  be used to manipulate whether or not a
377       process type is permissive.
378
379       semanage module can also be used to enable/disable/install/remove  pol‐
380       icy modules.
381
382       semanage boolean can also be used to manipulate the booleans
383
384
385       system-config-selinux is a GUI tool available to customize SELinux pol‐
386       icy settings.
387
388

AUTHOR

390       This manual page was auto-generated using sepolicy manpage .
391
392

SEE ALSO

394       selinux(8), mozilla(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
395       icy(8),    setsebool(8),    mozilla_plugin_selinux(8),    mozilla_plug‐
396       in_selinux(8),  mozilla_plugin_config_selinux(8),   mozilla_plugin_con‐
397       fig_selinux(8)
398
399
400
401mozilla                            19-06-18                 mozilla_selinux(8)
Impressum