mozilla_plugin_selinux(8)

1mozilla_plugin_selinux(8)SELinux Policy mozilla_pluginmozilla_plugin_selinux(8)
2
3
4

NAME

6       mozilla_plugin_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       mozilla_plugin processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the mozilla_plugin processes via flexi‐
11       ble mandatory access control.
12
13       The  mozilla_plugin processes execute with the mozilla_plugin_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_plugin_t
20
21
22

ENTRYPOINTS

24       The  mozilla_plugin_t SELinux type can be entered via the mozilla_plug‐
25       in_exec_t file type.
26
27       The default entrypoint paths for the mozilla_plugin_t  domain  are  the
28       following:
29
30       /usr/lib/xulrunner[^/]*/plugin-container,        /usr/lib/nspluginwrap‐
31       per/npviewer.bin,    /usr/bin/nspluginscan,    /usr/bin/nspluginviewer,
32       /usr/libexec/WebKitPluginProcess, /usr/lib/firefox/plugin-container
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       mozilla_plugin  policy  is  very flexible allowing users to setup their
42       mozilla_plugin processes in as secure a method as possible.
43
44       The following process types are defined for mozilla_plugin:
45
46       mozilla_plugin_t, mozilla_plugin_config_t
47
48       Note: semanage permissive -a mozilla_plugin_t can be used to  make  the
49       process  type mozilla_plugin_t permissive. SELinux does not deny access
50       to permissive process types, but the AVC (SELinux denials) messages are
51       still generated.
52
53

BOOLEANS

55       SELinux   policy  is  customizable  based  on  least  access  required.
56       mozilla_plugin policy is extremely flexible and  has  several  booleans
57       that allow you to manipulate the policy and run mozilla_plugin with the
58       tightest access possible.
59
60
61
62       If you want to allow mozilla plugin domain to bind  unreserved  tcp/udp
63       ports,  you must turn on the mozilla_plugin_bind_unreserved_ports bool‐
64       ean. Disabled by default.
65
66       setsebool -P mozilla_plugin_bind_unreserved_ports 1
67
68
69
70       If you want to allow mozilla plugin domain to connect  to  the  network
71       using  TCP,  you  must  turn  on the mozilla_plugin_can_network_connect
72       boolean. Enabled by default.
73
74       setsebool -P mozilla_plugin_can_network_connect 1
75
76
77
78       If you want to allow mozilla plugin to use Bluejeans, you must turn  on
79       the mozilla_plugin_use_bluejeans boolean. Disabled by default.
80
81       setsebool -P mozilla_plugin_use_bluejeans 1
82
83
84
85       If  you  want  to allow mozilla plugin to support GPS, you must turn on
86       the mozilla_plugin_use_gps boolean. Disabled by default.
87
88       setsebool -P mozilla_plugin_use_gps 1
89
90
91
92       If you want to allow mozilla plugin to  support  spice  protocols,  you
93       must turn on the mozilla_plugin_use_spice boolean. Disabled by default.
94
95       setsebool -P mozilla_plugin_use_spice 1
96
97
98
99       If you want to allow users to resolve user passwd entries directly from
100       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
101       gin_nsswitch_use_ldap boolean. Disabled by default.
102
103       setsebool -P authlogin_nsswitch_use_ldap 1
104
105
106
107       If  you  want to deny all system processes and Linux users to use blue‐
108       tooth wireless technology, you must turn on the deny_bluetooth boolean.
109       Enabled by default.
110
111       setsebool -P deny_bluetooth 1
112
113
114
115       If you want to allow all domains to execute in fips_mode, you must turn
116       on the fips_mode boolean. Enabled by default.
117
118       setsebool -P fips_mode 1
119
120
121
122       If you want to allow confined applications to run  with  kerberos,  you
123       must turn on the kerberos_enabled boolean. Disabled by default.
124
125       setsebool -P kerberos_enabled 1
126
127
128
129       If  you  want  to  allow  system  to run with NIS, you must turn on the
130       nis_enabled boolean. Disabled by default.
131
132       setsebool -P nis_enabled 1
133
134
135
136       If you want to allow confined applications to use nscd  shared  memory,
137       you must turn on the nscd_use_shm boolean. Disabled by default.
138
139       setsebool -P nscd_use_shm 1
140
141
142
143       If  you  want  to  allow  all  unconfined  executables to use libraries
144       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
145       must turn on the selinuxuser_execmod boolean. Disabled by default.
146
147       setsebool -P selinuxuser_execmod 1
148
149
150
151       If  you  want  to  allow  unconfined users to transition to the Mozilla
152       plugin domain when running xulrunner plugin-container, you must turn on
153       the unconfined_mozilla_plugin_transition boolean. Disabled by default.
154
155       setsebool -P unconfined_mozilla_plugin_transition 1
156
157
158
159       If  you  want  to  support  NFS  home directories, you must turn on the
160       use_nfs_home_dirs boolean. Enabled by default.
161
162       setsebool -P use_nfs_home_dirs 1
163
164
165
166       If you want to support SAMBA home directories, you  must  turn  on  the
167       use_samba_home_dirs boolean. Disabled by default.
168
169       setsebool -P use_samba_home_dirs 1
170
171
172

MANAGED FILES

174       The SELinux process type mozilla_plugin_t can manage files labeled with
175       the following file types.  The paths listed are the default  paths  for
176       these  file  types.  Note the processes UID still need to have DAC per‐
177       missions.
178
179       cifs_t
180
181
182       dosfs_t
183
184
185       ecryptfs_t
186
187            /home/[^/]+/.Private(/.*)?
188            /home/[^/]+/.ecryptfs(/.*)?
189
190       fusefs_t
191
192            /var/run/user/[^/]*/gvfs
193
194       gnome_home_type
195
196
197       home_cert_t
198
199            /root/.pki(/.*)?
200            /root/.cert(/.*)?
201            /home/[^/]+/.pki(/.*)?
202            /home/[^/]+/.cert(/.*)?
203            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
204            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
205
206       mozilla_home_t
207
208            /home/[^/]+/.lyx(/.*)?
209            /home/[^/]+/.java(/.*)?
210            /home/[^/]+/.adobe(/.*)?
211            /home/[^/]+/.gnash(/.*)?
212            /home/[^/]+/.webex(/.*)?
213            /home/[^/]+/.IBMERS(/.*)?
214            /home/[^/]+/.galeon(/.*)?
215            /home/[^/]+/.spicec(/.*)?
216            /home/[^/]+/POkemon.*(/.*)?
217            /home/[^/]+/.icedtea(/.*)?
218            /home/[^/]+/.mozilla(/.*)?
219            /home/[^/]+/.phoenix(/.*)?
220            /home/[^/]+/.netscape(/.*)?
221            /home/[^/]+/.ICAClient(/.*)?
222            /home/[^/]+/.quakelive(/.*)?
223            /home/[^/]+/.macromedia(/.*)?
224            /home/[^/]+/.thunderbird(/.*)?
225            /home/[^/]+/.gcjwebplugin(/.*)?
226            /home/[^/]+/.grl-podcasts(/.*)?
227            /home/[^/]+/.cache/mozilla(/.*)?
228            /home/[^/]+/.icedteaplugin(/.*)?
229            /home/[^/]+/zimbrauserdata(/.*)?
230            /home/[^/]+/.juniper_networks(/.*)?
231            /home/[^/]+/.cache/icedtea-web(/.*)?
232            /home/[^/]+/abc
233            /home/[^/]+/mozilla.pdf
234            /home/[^/]+/.gnashpluginrc
235
236       mozilla_plugin_tmp_t
237
238
239       mozilla_plugin_tmpfs_t
240
241
242       mplayer_home_t
243
244            /home/[^/]+/.mplayer(/.*)?
245
246       nfs_t
247
248
249       pulseaudio_home_t
250
251            /root/.pulse(/.*)?
252            /root/.config/pulse(/.*)?
253            /root/.esd_auth
254            /root/.pulse-cookie
255            /home/[^/]+/.pulse(/.*)?
256            /home/[^/]+/.config/pulse(/.*)?
257            /home/[^/]+/.esd_auth
258            /home/[^/]+/.pulse-cookie
259
260       texlive_home_t
261
262            /home/[^/]+/.texlive2012(/.*)?
263            /home/[^/]+/.texlive2013(/.*)?
264            /home/[^/]+/.texlive2014(/.*)?
265
266       user_fonts_cache_t
267
268            /root/.fontconfig(/.*)?
269            /root/.fonts/auto(/.*)?
270            /root/.fonts.cache-.*
271            /root/.cache/fontconfig(/.*)?
272            /home/[^/]+/.fontconfig(/.*)?
273            /home/[^/]+/.fonts/auto(/.*)?
274            /home/[^/]+/.fonts.cache-.*
275            /home/[^/]+/.cache/fontconfig(/.*)?
276
277       user_tmp_t
278
279            /dev/shm/mono.*
280            /var/run/user(/.*)?
281            /tmp/.ICE-unix(/.*)?
282            /tmp/.X11-unix(/.*)?
283            /dev/shm/pulse-shm.*
284            /tmp/.X0-lock
285            /tmp/hsperfdata_root
286            /var/tmp/hsperfdata_root
287            /home/[^/]+/tmp
288            /home/[^/]+/.tmp
289            /tmp/gconfd-[^/]+
290
291

FILE CONTEXTS

293       SELinux requires files to have an extended attribute to define the file
294       type.
295
296       You can see the context of a file using the -Z option to ls
297
298       Policy  governs  the  access  confined  processes  have to these files.
299       SELinux mozilla_plugin policy is very flexible allowing users to  setup
300       their mozilla_plugin processes in as secure a method as possible.
301
302       STANDARD FILE CONTEXT
303
304       SELinux  defines  the file context types for the mozilla_plugin, if you
305       wanted to store files with these types in a diffent paths, you need  to
306       execute  the  semanage  command to sepecify alternate labeling and then
307       use restorecon to put the labels on disk.
308
309       semanage fcontext -a -t mozilla_plugin_rw_t '/srv/mymozilla_plugin_con‐
310       tent(/.*)?'
311       restorecon -R -v /srv/mymozilla_plugin_content
312
313       Note:  SELinux  often  uses  regular expressions to specify labels that
314       match multiple files.
315
316       The following file types are defined for mozilla_plugin:
317
318
319
320       mozilla_plugin_config_exec_t
321
322       - Set files with the mozilla_plugin_config_exec_t type, if you want  to
323       transition an executable to the mozilla_plugin_config_t domain.
324
325
326
327       mozilla_plugin_exec_t
328
329       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
330       tion an executable to the mozilla_plugin_t domain.
331
332
333       Paths:
334            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
335            per/npviewer.bin,  /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
336            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
337            tainer
338
339
340       mozilla_plugin_rw_t
341
342       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
343       files as mozilla plugin read/write content.
344
345
346
347       mozilla_plugin_tmp_t
348
349       - Set files with the mozilla_plugin_tmp_t type, if you  want  to  store
350       mozilla plugin temporary files in the /tmp directories.
351
352
353
354       mozilla_plugin_tmpfs_t
355
356       -  Set files with the mozilla_plugin_tmpfs_t type, if you want to store
357       mozilla plugin files on a tmpfs file system.
358
359
360
361       Note: File context can be temporarily modified with the chcon  command.
362       If  you want to permanently change the file context you need to use the
363       semanage fcontext command.  This will modify the SELinux labeling data‐
364       base.  You will need to use restorecon to apply the labels.
365
366

COMMANDS

368       semanage  fcontext  can also be used to manipulate default file context
369       mappings.
370
371       semanage permissive can also be used to manipulate  whether  or  not  a
372       process type is permissive.
373
374       semanage  module can also be used to enable/disable/install/remove pol‐
375       icy modules.
376
377       semanage boolean can also be used to manipulate the booleans
378
379
380       system-config-selinux is a GUI tool available to customize SELinux pol‐
381       icy settings.
382
383

AUTHOR

385       This manual page was auto-generated using sepolicy manpage .
386
387