1mozilla_selinux(8) SELinux Policy mozilla mozilla_selinux(8)
2
3
4
6 mozilla_selinux - Security Enhanced Linux Policy for the mozilla pro‐
7 cesses
8
10 Security-Enhanced Linux secures the mozilla processes via flexible
11 mandatory access control.
12
13 The mozilla processes execute with the mozilla_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep mozilla_t
20
21
22
24 The mozilla_t SELinux type can be entered via the mozilla_exec_t file
25 type.
26
27 The default entrypoint paths for the mozilla_t domain are the follow‐
28 ing:
29
30 /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31 bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/firefox[^/]*/mozilla-.*,
32 /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*,
33 /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34 /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/epiphany,
35 /usr/bin/netscape, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon,
36 /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37
39 SELinux defines process types (domains) for each process running on the
40 system
41
42 You can see the context of a process using the -Z option to ps
43
44 Policy governs the access confined processes have to files. SELinux
45 mozilla policy is very flexible allowing users to setup their mozilla
46 processes in as secure a method as possible.
47
48 The following process types are defined for mozilla:
49
50 mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52 Note: semanage permissive -a mozilla_t can be used to make the process
53 type mozilla_t permissive. SELinux does not deny access to permissive
54 process types, but the AVC (SELinux denials) messages are still gener‐
55 ated.
56
57
59 SELinux policy is customizable based on least access required. mozilla
60 policy is extremely flexible and has several booleans that allow you to
61 manipulate the policy and run mozilla with the tightest access possi‐
62 ble.
63
64
65
66 If you want to allow confined web browsers to read home directory con‐
67 tent, you must turn on the mozilla_read_content boolean. Disabled by
68 default.
69
70 setsebool -P mozilla_read_content 1
71
72
73
74 If you want to deny user domains applications to map a memory region as
75 both executable and writable, this is dangerous and the executable
76 should be reported in bugzilla, you must turn on the deny_execmem bool‐
77 ean. Enabled by default.
78
79 setsebool -P deny_execmem 1
80
81
82
83 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85
86 setsebool -P fips_mode 1
87
88
89
90 If you want to allow system to run with NIS, you must turn on the
91 nis_enabled boolean. Disabled by default.
92
93 setsebool -P nis_enabled 1
94
95
96
97 If you want to allow regular users direct dri device access, you must
98 turn on the selinuxuser_direct_dri_enabled boolean. Disabled by
99 default.
100
101 setsebool -P selinuxuser_direct_dri_enabled 1
102
103
104
105 If you want to allow unconfined executables to make their stack exe‐
106 cutable. This should never, ever be necessary. Probably indicates a
107 badly coded executable, but could indicate an attack. This executable
108 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
109 stack boolean. Disabled by default.
110
111 setsebool -P selinuxuser_execstack 1
112
113
114
115 If you want to allows clients to write to the X server shared memory
116 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
117 abled by default.
118
119 setsebool -P xserver_clients_write_xshm 1
120
121
122
124 The SELinux process type mozilla_t can manage files labeled with the
125 following file types. The paths listed are the default paths for these
126 file types. Note the processes UID still need to have DAC permissions.
127
128 cifs_t
129
130
131 ecryptfs_t
132
133 /home/[^/]+/.Private(/.*)?
134 /home/[^/]+/.ecryptfs(/.*)?
135
136 fusefs_t
137
138 /var/run/user/[^/]*/gvfs
139
140 gnome_home_type
141
142
143 mozilla_home_t
144
145 /home/[^/]+/.lyx(/.*)?
146 /home/[^/]+/.java(/.*)?
147 /home/[^/]+/.adobe(/.*)?
148 /home/[^/]+/.gnash(/.*)?
149 /home/[^/]+/.webex(/.*)?
150 /home/[^/]+/.IBMERS(/.*)?
151 /home/[^/]+/.galeon(/.*)?
152 /home/[^/]+/.spicec(/.*)?
153 /home/[^/]+/POkemon.*(/.*)?
154 /home/[^/]+/.icedtea(/.*)?
155 /home/[^/]+/.mozilla(/.*)?
156 /home/[^/]+/.phoenix(/.*)?
157 /home/[^/]+/.netscape(/.*)?
158 /home/[^/]+/.ICAClient(/.*)?
159 /home/[^/]+/.quakelive(/.*)?
160 /home/[^/]+/.macromedia(/.*)?
161 /home/[^/]+/.thunderbird(/.*)?
162 /home/[^/]+/.gcjwebplugin(/.*)?
163 /home/[^/]+/.grl-podcasts(/.*)?
164 /home/[^/]+/.cache/mozilla(/.*)?
165 /home/[^/]+/.icedteaplugin(/.*)?
166 /home/[^/]+/zimbrauserdata(/.*)?
167 /home/[^/]+/.juniper_networks(/.*)?
168 /home/[^/]+/.cache/icedtea-web(/.*)?
169 /home/[^/]+/abc
170 /home/[^/]+/mozilla.pdf
171 /home/[^/]+/.gnashpluginrc
172
173 nfs_t
174
175
176 pulseaudio_home_t
177
178 /root/.pulse(/.*)?
179 /root/.config/pulse(/.*)?
180 /root/.esd_auth
181 /root/.pulse-cookie
182 /home/[^/]+/.pulse(/.*)?
183 /home/[^/]+/.config/pulse(/.*)?
184 /home/[^/]+/.esd_auth
185 /home/[^/]+/.pulse-cookie
186
187 user_fonts_cache_t
188
189 /root/.fontconfig(/.*)?
190 /root/.fonts/auto(/.*)?
191 /root/.fonts.cache-.*
192 /root/.cache/fontconfig(/.*)?
193 /home/[^/]+/.fontconfig(/.*)?
194 /home/[^/]+/.fonts/auto(/.*)?
195 /home/[^/]+/.fonts.cache-.*
196 /home/[^/]+/.cache/fontconfig(/.*)?
197
198
200 SELinux requires files to have an extended attribute to define the file
201 type.
202
203 You can see the context of a file using the -Z option to ls
204
205 Policy governs the access confined processes have to these files.
206 SELinux mozilla policy is very flexible allowing users to setup their
207 mozilla processes in as secure a method as possible.
208
209 STANDARD FILE CONTEXT
210
211 SELinux defines the file context types for the mozilla, if you wanted
212 to store files with these types in a diffent paths, you need to execute
213 the semanage command to sepecify alternate labeling and then use
214 restorecon to put the labels on disk.
215
216 semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
217 restorecon -R -v /srv/mymozilla_content
218
219 Note: SELinux often uses regular expressions to specify labels that
220 match multiple files.
221
222 The following file types are defined for mozilla:
223
224
225
226 mozilla_conf_t
227
228 - Set files with the mozilla_conf_t type, if you want to treat the
229 files as mozilla configuration data, usually stored under the /etc
230 directory.
231
232
233
234 mozilla_exec_t
235
236 - Set files with the mozilla_exec_t type, if you want to transition an
237 executable to the mozilla_t domain.
238
239
240 Paths:
241 /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*fire‐
242 fox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
243 fox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*,
244 /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
245 nicator-smotif.real, /usr/bin/mozilla-bin-[0-9].*,
246 /usr/bin/mozilla, /usr/bin/epiphany, /usr/bin/netscape,
247 /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-
248 snapshot, /usr/lib/netscape/base-4/wrapper
249
250
251 mozilla_home_t
252
253 - Set files with the mozilla_home_t type, if you want to store mozilla
254 files in the users home directory.
255
256
257 Paths:
258 /home/[^/]+/.lyx(/.*)?, /home/[^/]+/.java(/.*)?,
259 /home/[^/]+/.adobe(/.*)?, /home/[^/]+/.gnash(/.*)?,
260 /home/[^/]+/.webex(/.*)?, /home/[^/]+/.IBMERS(/.*)?,
261 /home/[^/]+/.galeon(/.*)?, /home/[^/]+/.spicec(/.*)?,
262 /home/[^/]+/POkemon.*(/.*)?, /home/[^/]+/.icedtea(/.*)?,
263 /home/[^/]+/.mozilla(/.*)?, /home/[^/]+/.phoenix(/.*)?,
264 /home/[^/]+/.netscape(/.*)?, /home/[^/]+/.ICAClient(/.*)?,
265 /home/[^/]+/.quakelive(/.*)?, /home/[^/]+/.macromedia(/.*)?,
266 /home/[^/]+/.thunderbird(/.*)?, /home/[^/]+/.gcjwebplugin(/.*)?,
267 /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
268 /home/[^/]+/.icedteaplugin(/.*)?, /home/[^/]+/zimbrauser‐
269 data(/.*)?, /home/[^/]+/.juniper_networks(/.*)?,
270 /home/[^/]+/.cache/icedtea-web(/.*)?, /home/[^/]+/abc,
271 /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
272
273
274 mozilla_plugin_config_exec_t
275
276 - Set files with the mozilla_plugin_config_exec_t type, if you want to
277 transition an executable to the mozilla_plugin_config_t domain.
278
279
280
281 mozilla_plugin_exec_t
282
283 - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
284 tion an executable to the mozilla_plugin_t domain.
285
286
287 Paths:
288 /usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrap‐
289 per/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
290 /usr/libexec/WebKitPluginProcess, /usr/lib/firefox/plugin-con‐
291 tainer
292
293
294 mozilla_plugin_rw_t
295
296 - Set files with the mozilla_plugin_rw_t type, if you want to treat the
297 files as mozilla plugin read/write content.
298
299
300
301 mozilla_plugin_tmp_t
302
303 - Set files with the mozilla_plugin_tmp_t type, if you want to store
304 mozilla plugin temporary files in the /tmp directories.
305
306
307
308 mozilla_plugin_tmpfs_t
309
310 - Set files with the mozilla_plugin_tmpfs_t type, if you want to store
311 mozilla plugin files on a tmpfs file system.
312
313
314
315 mozilla_tmp_t
316
317 - Set files with the mozilla_tmp_t type, if you want to store mozilla
318 temporary files in the /tmp directories.
319
320
321
322 mozilla_tmpfs_t
323
324 - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
325 files on a tmpfs file system.
326
327
328
329 Note: File context can be temporarily modified with the chcon command.
330 If you want to permanently change the file context you need to use the
331 semanage fcontext command. This will modify the SELinux labeling data‐
332 base. You will need to use restorecon to apply the labels.
333
334
336 semanage fcontext can also be used to manipulate default file context
337 mappings.
338
339 semanage permissive can also be used to manipulate whether or not a
340 process type is permissive.
341
342 semanage module can also be used to enable/disable/install/remove pol‐
343 icy modules.
344
345 semanage boolean can also be used to manipulate the booleans
346
347
348 system-config-selinux is a GUI tool available to customize SELinux pol‐
349 icy settings.
350
351
353 This manual page was auto-generated using sepolicy manpage .
354
355
357 selinux(8), mozilla(8), semanage(8), restorecon(8), chcon(1), sepol‐
358 icy(8), setsebool(8), mozilla_plugin_selinux(8), mozilla_plug‐
359 in_selinux(8), mozilla_plugin_config_selinux(8), mozilla_plugin_con‐
360 fig_selinux(8)
361
362
363
364mozilla 20-05-05 mozilla_selinux(8)