1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/firefox[^/]*/mozilla-.*,
32       /usr/lib/mozilla[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/epiphany,
35       /usr/bin/netscape,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to deny user domains applications to map a memory region as
75       both  executable  and  writable,  this  is dangerous and the executable
76       should be reported in bugzilla, you must turn on the deny_execmem bool‐
77       ean. Enabled by default.
78
79       setsebool -P deny_execmem 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow system to run with  NIS,  you  must  turn  on  the
91       nis_enabled boolean. Disabled by default.
92
93       setsebool -P nis_enabled 1
94
95
96
97       If  you  want to allow regular users direct dri device access, you must
98       turn  on  the  selinuxuser_direct_dri_enabled  boolean.   Disabled   by
99       default.
100
101       setsebool -P selinuxuser_direct_dri_enabled 1
102
103
104
105       If  you  want  to allow unconfined executables to make their stack exe‐
106       cutable.  This should never, ever be necessary.  Probably  indicates  a
107       badly  coded  executable, but could indicate an attack. This executable
108       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
109       stack boolean. Disabled by default.
110
111       setsebool -P selinuxuser_execstack 1
112
113
114
115       If  you  want  to allows clients to write to the X server shared memory
116       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
117       abled by default.
118
119       setsebool -P xserver_clients_write_xshm 1
120
121
122

MANAGED FILES

124       The  SELinux  process  type mozilla_t can manage files labeled with the
125       following file types.  The paths listed are the default paths for these
126       file types.  Note the processes UID still need to have DAC permissions.
127
128       cifs_t
129
130
131       ecryptfs_t
132
133            /home/[^/]+/.Private(/.*)?
134            /home/[^/]+/.ecryptfs(/.*)?
135
136       fusefs_t
137
138            /var/run/user/[^/]*/gvfs
139
140       gnome_home_type
141
142
143       mozilla_home_t
144
145            /home/[^/]+/.lyx(/.*)?
146            /home/[^/]+/.java(/.*)?
147            /home/[^/]+/.adobe(/.*)?
148            /home/[^/]+/.gnash(/.*)?
149            /home/[^/]+/.webex(/.*)?
150            /home/[^/]+/.IBMERS(/.*)?
151            /home/[^/]+/.galeon(/.*)?
152            /home/[^/]+/.spicec(/.*)?
153            /home/[^/]+/POkemon.*(/.*)?
154            /home/[^/]+/.icedtea(/.*)?
155            /home/[^/]+/.mozilla(/.*)?
156            /home/[^/]+/.phoenix(/.*)?
157            /home/[^/]+/.netscape(/.*)?
158            /home/[^/]+/.ICAClient(/.*)?
159            /home/[^/]+/.quakelive(/.*)?
160            /home/[^/]+/.macromedia(/.*)?
161            /home/[^/]+/.thunderbird(/.*)?
162            /home/[^/]+/.gcjwebplugin(/.*)?
163            /home/[^/]+/.grl-podcasts(/.*)?
164            /home/[^/]+/.cache/mozilla(/.*)?
165            /home/[^/]+/.icedteaplugin(/.*)?
166            /home/[^/]+/zimbrauserdata(/.*)?
167            /home/[^/]+/.juniper_networks(/.*)?
168            /home/[^/]+/.cache/icedtea-web(/.*)?
169            /home/[^/]+/abc
170            /home/[^/]+/mozilla.pdf
171            /home/[^/]+/.gnashpluginrc
172
173       nfs_t
174
175
176       pulseaudio_home_t
177
178            /root/.pulse(/.*)?
179            /root/.config/pulse(/.*)?
180            /root/.esd_auth
181            /root/.pulse-cookie
182            /home/[^/]+/.pulse(/.*)?
183            /home/[^/]+/.config/pulse(/.*)?
184            /home/[^/]+/.esd_auth
185            /home/[^/]+/.pulse-cookie
186
187       user_fonts_cache_t
188
189            /root/.fontconfig(/.*)?
190            /root/.fonts/auto(/.*)?
191            /root/.fonts.cache-.*
192            /root/.cache/fontconfig(/.*)?
193            /home/[^/]+/.fontconfig(/.*)?
194            /home/[^/]+/.fonts/auto(/.*)?
195            /home/[^/]+/.fonts.cache-.*
196            /home/[^/]+/.cache/fontconfig(/.*)?
197
198

FILE CONTEXTS

200       SELinux requires files to have an extended attribute to define the file
201       type.
202
203       You can see the context of a file using the -Z option to ls
204
205       Policy governs the access  confined  processes  have  to  these  files.
206       SELinux  mozilla  policy is very flexible allowing users to setup their
207       mozilla processes in as secure a method as possible.
208
209       STANDARD FILE CONTEXT
210
211       SELinux defines the file context types for the mozilla, if  you  wanted
212       to store files with these types in a diffent paths, you need to execute
213       the semanage command  to  sepecify  alternate  labeling  and  then  use
214       restorecon to put the labels on disk.
215
216       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
217       restorecon -R -v /srv/mymozilla_content
218
219       Note:  SELinux  often  uses  regular expressions to specify labels that
220       match multiple files.
221
222       The following file types are defined for mozilla:
223
224
225
226       mozilla_conf_t
227
228       - Set files with the mozilla_conf_t type, if  you  want  to  treat  the
229       files  as  mozilla  configuration  data,  usually stored under the /etc
230       directory.
231
232
233
234       mozilla_exec_t
235
236       - Set files with the mozilla_exec_t type, if you want to transition  an
237       executable to the mozilla_t domain.
238
239
240       Paths:
241            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
242            fox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+,  /usr/lib/fire‐
243            fox[^/]*/mozilla-.*,             /usr/lib/mozilla[^/]*/mozilla-.*,
244            /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
245            nicator-smotif.real,                 /usr/bin/mozilla-bin-[0-9].*,
246            /usr/bin/mozilla,      /usr/bin/epiphany,       /usr/bin/netscape,
247            /usr/bin/epiphany-bin,  /usr/lib/galeon/galeon,  /usr/bin/mozilla-
248            snapshot, /usr/lib/netscape/base-4/wrapper
249
250
251       mozilla_home_t
252
253       - Set files with the mozilla_home_t type, if you want to store  mozilla
254       files in the users home directory.
255
256
257       Paths:
258            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
259            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
260            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.IBMERS(/.*)?,
261            /home/[^/]+/.galeon(/.*)?,              /home/[^/]+/.spicec(/.*)?,
262            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.icedtea(/.*)?,
263            /home/[^/]+/.mozilla(/.*)?,            /home/[^/]+/.phoenix(/.*)?,
264            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.ICAClient(/.*)?,
265            /home/[^/]+/.quakelive(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
266            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
267            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
268            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
269            data(/.*)?,                   /home/[^/]+/.juniper_networks(/.*)?,
270            /home/[^/]+/.cache/icedtea-web(/.*)?,             /home/[^/]+/abc,
271            /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
272
273
274       mozilla_plugin_config_exec_t
275
276       - Set files with the mozilla_plugin_config_exec_t type, if you want  to
277       transition an executable to the mozilla_plugin_config_t domain.
278
279
280
281       mozilla_plugin_exec_t
282
283       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
284       tion an executable to the mozilla_plugin_t domain.
285
286
287       Paths:
288            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
289            per/npviewer.bin,  /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
290            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
291            tainer
292
293
294       mozilla_plugin_rw_t
295
296       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
297       files as mozilla plugin read/write content.
298
299
300
301       mozilla_plugin_tmp_t
302
303       - Set files with the mozilla_plugin_tmp_t type, if you  want  to  store
304       mozilla plugin temporary files in the /tmp directories.
305
306
307
308       mozilla_plugin_tmpfs_t
309
310       -  Set files with the mozilla_plugin_tmpfs_t type, if you want to store
311       mozilla plugin files on a tmpfs file system.
312
313
314
315       mozilla_tmp_t
316
317       - Set files with the mozilla_tmp_t type, if you want to  store  mozilla
318       temporary files in the /tmp directories.
319
320
321
322       mozilla_tmpfs_t
323
324       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
325       files on a tmpfs file system.
326
327
328
329       Note: File context can be temporarily modified with the chcon  command.
330       If  you want to permanently change the file context you need to use the
331       semanage fcontext command.  This will modify the SELinux labeling data‐
332       base.  You will need to use restorecon to apply the labels.
333
334

COMMANDS

336       semanage  fcontext  can also be used to manipulate default file context
337       mappings.
338
339       semanage permissive can also be used to manipulate  whether  or  not  a
340       process type is permissive.
341
342       semanage  module can also be used to enable/disable/install/remove pol‐
343       icy modules.
344
345       semanage boolean can also be used to manipulate the booleans
346
347
348       system-config-selinux is a GUI tool available to customize SELinux pol‐
349       icy settings.
350
351

AUTHOR

353       This manual page was auto-generated using sepolicy manpage .
354
355

SEE ALSO

357       selinux(8),  mozilla(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
358       icy(8),    setsebool(8),    mozilla_plugin_selinux(8),    mozilla_plug‐
359       in_selinux(8),   mozilla_plugin_config_selinux(8),  mozilla_plugin_con‐
360       fig_selinux(8)
361
362
363
364mozilla                            20-05-05                 mozilla_selinux(8)
Impressum