1mozilla_selinux(8) SELinux Policy mozilla mozilla_selinux(8)
2
3
4
6 mozilla_selinux - Security Enhanced Linux Policy for the mozilla pro‐
7 cesses
8
10 Security-Enhanced Linux secures the mozilla processes via flexible
11 mandatory access control.
12
13 The mozilla processes execute with the mozilla_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep mozilla_t
20
21
22
24 The mozilla_t SELinux type can be entered via the mozilla_exec_t file
25 type.
26
27 The default entrypoint paths for the mozilla_t domain are the follow‐
28 ing:
29
30 /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31 bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/firefox[^/]*/mozilla-.*,
32 /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*,
33 /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34 /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/epiphany,
35 /usr/bin/netscape, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon,
36 /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37
39 SELinux defines process types (domains) for each process running on the
40 system
41
42 You can see the context of a process using the -Z option to ps
43
44 Policy governs the access confined processes have to files. SELinux
45 mozilla policy is very flexible allowing users to setup their mozilla
46 processes in as secure a method as possible.
47
48 The following process types are defined for mozilla:
49
50 mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52 Note: semanage permissive -a mozilla_t can be used to make the process
53 type mozilla_t permissive. SELinux does not deny access to permissive
54 process types, but the AVC (SELinux denials) messages are still gener‐
55 ated.
56
57
59 SELinux policy is customizable based on least access required. mozilla
60 policy is extremely flexible and has several booleans that allow you to
61 manipulate the policy and run mozilla with the tightest access possi‐
62 ble.
63
64
65
66 If you want to allow confined web browsers to read home directory con‐
67 tent, you must turn on the mozilla_read_content boolean. Disabled by
68 default.
69
70 setsebool -P mozilla_read_content 1
71
72
73
74 If you want to deny user domains applications to map a memory region as
75 both executable and writable, this is dangerous and the executable
76 should be reported in bugzilla, you must turn on the deny_execmem bool‐
77 ean. Enabled by default.
78
79 setsebool -P deny_execmem 1
80
81
82
83 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85
86 setsebool -P fips_mode 1
87
88
89
90 If you want to allow system to run with NIS, you must turn on the
91 nis_enabled boolean. Disabled by default.
92
93 setsebool -P nis_enabled 1
94
95
96
97 If you want to allow regular users direct dri device access, you must
98 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
99
100 setsebool -P selinuxuser_direct_dri_enabled 1
101
102
103
104 If you want to allow unconfined executables to make their stack exe‐
105 cutable. This should never, ever be necessary. Probably indicates a
106 badly coded executable, but could indicate an attack. This executable
107 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
108 stack boolean. Enabled by default.
109
110 setsebool -P selinuxuser_execstack 1
111
112
113
114 If you want to allows clients to write to the X server shared memory
115 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
116 abled by default.
117
118 setsebool -P xserver_clients_write_xshm 1
119
120
121
123 The SELinux process type mozilla_t can manage files labeled with the
124 following file types. The paths listed are the default paths for these
125 file types. Note the processes UID still need to have DAC permissions.
126
127 cifs_t
128
129
130 ecryptfs_t
131
132 /home/[^/]+/.Private(/.*)?
133 /home/[^/]+/.ecryptfs(/.*)?
134
135 fusefs_t
136
137 /var/run/user/[^/]*/gvfs
138
139 gnome_home_type
140
141
142 krb5_host_rcache_t
143
144 /var/tmp/krb5_0.rcache2
145 /var/cache/krb5rcache(/.*)?
146 /var/tmp/nfs_0
147 /var/tmp/DNS_25
148 /var/tmp/host_0
149 /var/tmp/imap_0
150 /var/tmp/HTTP_23
151 /var/tmp/HTTP_48
152 /var/tmp/ldap_55
153 /var/tmp/ldap_487
154 /var/tmp/ldapmap1_0
155
156 mozilla_home_t
157
158 /home/[^/]+/.lyx(/.*)?
159 /home/[^/]+/.java(/.*)?
160 /home/[^/]+/.adobe(/.*)?
161 /home/[^/]+/.gnash(/.*)?
162 /home/[^/]+/.webex(/.*)?
163 /home/[^/]+/.IBMERS(/.*)?
164 /home/[^/]+/.galeon(/.*)?
165 /home/[^/]+/.spicec(/.*)?
166 /home/[^/]+/POkemon.*(/.*)?
167 /home/[^/]+/.icedtea(/.*)?
168 /home/[^/]+/.mozilla(/.*)?
169 /home/[^/]+/.phoenix(/.*)?
170 /home/[^/]+/.netscape(/.*)?
171 /home/[^/]+/.ICAClient(/.*)?
172 /home/[^/]+/.quakelive(/.*)?
173 /home/[^/]+/.macromedia(/.*)?
174 /home/[^/]+/.thunderbird(/.*)?
175 /home/[^/]+/.gcjwebplugin(/.*)?
176 /home/[^/]+/.grl-podcasts(/.*)?
177 /home/[^/]+/.cache/mozilla(/.*)?
178 /home/[^/]+/.icedteaplugin(/.*)?
179 /home/[^/]+/zimbrauserdata(/.*)?
180 /home/[^/]+/.juniper_networks(/.*)?
181 /home/[^/]+/.cache/icedtea-web(/.*)?
182 /home/[^/]+/abc
183 /home/[^/]+/mozilla.pdf
184 /home/[^/]+/.gnashpluginrc
185
186 mozilla_tmp_t
187
188
189 mozilla_tmpfs_t
190
191
192 nfs_t
193
194
195 pulseaudio_home_t
196
197 /root/.pulse(/.*)?
198 /root/.config/pulse(/.*)?
199 /root/.esd_auth
200 /root/.pulse-cookie
201 /home/[^/]+/.pulse(/.*)?
202 /home/[^/]+/.config/pulse(/.*)?
203 /home/[^/]+/.esd_auth
204 /home/[^/]+/.pulse-cookie
205
206 user_fonts_cache_t
207
208 /root/.fontconfig(/.*)?
209 /root/.fonts/auto(/.*)?
210 /root/.fonts.cache-.*
211 /root/.cache/fontconfig(/.*)?
212 /home/[^/]+/.fontconfig(/.*)?
213 /home/[^/]+/.fonts/auto(/.*)?
214 /home/[^/]+/.fonts.cache-.*
215 /home/[^/]+/.cache/fontconfig(/.*)?
216
217
219 SELinux requires files to have an extended attribute to define the file
220 type.
221
222 You can see the context of a file using the -Z option to ls
223
224 Policy governs the access confined processes have to these files.
225 SELinux mozilla policy is very flexible allowing users to setup their
226 mozilla processes in as secure a method as possible.
227
228 STANDARD FILE CONTEXT
229
230 SELinux defines the file context types for the mozilla, if you wanted
231 to store files with these types in a diffent paths, you need to execute
232 the semanage command to sepecify alternate labeling and then use re‐
233 storecon to put the labels on disk.
234
235 semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
236 restorecon -R -v /srv/mymozilla_content
237
238 Note: SELinux often uses regular expressions to specify labels that
239 match multiple files.
240
241 The following file types are defined for mozilla:
242
243
244
245 mozilla_conf_t
246
247 - Set files with the mozilla_conf_t type, if you want to treat the
248 files as mozilla configuration data, usually stored under the /etc di‐
249 rectory.
250
251
252
253 mozilla_exec_t
254
255 - Set files with the mozilla_exec_t type, if you want to transition an
256 executable to the mozilla_t domain.
257
258
259 Paths:
260 /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*fire‐
261 fox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
262 fox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*,
263 /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
264 nicator-smotif.real, /usr/bin/mozilla-bin-[0-9].*,
265 /usr/bin/mozilla, /usr/bin/epiphany, /usr/bin/netscape,
266 /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-
267 snapshot, /usr/lib/netscape/base-4/wrapper
268
269
270 mozilla_home_t
271
272 - Set files with the mozilla_home_t type, if you want to store mozilla
273 files in the users home directory.
274
275
276 Paths:
277 /home/[^/]+/.lyx(/.*)?, /home/[^/]+/.java(/.*)?,
278 /home/[^/]+/.adobe(/.*)?, /home/[^/]+/.gnash(/.*)?,
279 /home/[^/]+/.webex(/.*)?, /home/[^/]+/.IBMERS(/.*)?,
280 /home/[^/]+/.galeon(/.*)?, /home/[^/]+/.spicec(/.*)?,
281 /home/[^/]+/POkemon.*(/.*)?, /home/[^/]+/.icedtea(/.*)?,
282 /home/[^/]+/.mozilla(/.*)?, /home/[^/]+/.phoenix(/.*)?,
283 /home/[^/]+/.netscape(/.*)?, /home/[^/]+/.ICAClient(/.*)?,
284 /home/[^/]+/.quakelive(/.*)?, /home/[^/]+/.macromedia(/.*)?,
285 /home/[^/]+/.thunderbird(/.*)?, /home/[^/]+/.gcjwebplugin(/.*)?,
286 /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
287 /home/[^/]+/.icedteaplugin(/.*)?, /home/[^/]+/zimbrauser‐
288 data(/.*)?, /home/[^/]+/.juniper_networks(/.*)?,
289 /home/[^/]+/.cache/icedtea-web(/.*)?, /home/[^/]+/abc,
290 /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
291
292
293 mozilla_plugin_config_exec_t
294
295 - Set files with the mozilla_plugin_config_exec_t type, if you want to
296 transition an executable to the mozilla_plugin_config_t domain.
297
298
299
300 mozilla_plugin_exec_t
301
302 - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
303 tion an executable to the mozilla_plugin_t domain.
304
305
306 Paths:
307 /usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrap‐
308 per/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
309 /usr/libexec/WebKitPluginProcess, /usr/lib/firefox/plugin-con‐
310 tainer
311
312
313 mozilla_plugin_rw_t
314
315 - Set files with the mozilla_plugin_rw_t type, if you want to treat the
316 files as mozilla plugin read/write content.
317
318
319
320 mozilla_plugin_tmp_t
321
322 - Set files with the mozilla_plugin_tmp_t type, if you want to store
323 mozilla plugin temporary files in the /tmp directories.
324
325
326
327 mozilla_plugin_tmpfs_t
328
329 - Set files with the mozilla_plugin_tmpfs_t type, if you want to store
330 mozilla plugin files on a tmpfs file system.
331
332
333
334 mozilla_tmp_t
335
336 - Set files with the mozilla_tmp_t type, if you want to store mozilla
337 temporary files in the /tmp directories.
338
339
340
341 mozilla_tmpfs_t
342
343 - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
344 files on a tmpfs file system.
345
346
347
348 Note: File context can be temporarily modified with the chcon command.
349 If you want to permanently change the file context you need to use the
350 semanage fcontext command. This will modify the SELinux labeling data‐
351 base. You will need to use restorecon to apply the labels.
352
353
355 semanage fcontext can also be used to manipulate default file context
356 mappings.
357
358 semanage permissive can also be used to manipulate whether or not a
359 process type is permissive.
360
361 semanage module can also be used to enable/disable/install/remove pol‐
362 icy modules.
363
364 semanage boolean can also be used to manipulate the booleans
365
366
367 system-config-selinux is a GUI tool available to customize SELinux pol‐
368 icy settings.
369
370
372 This manual page was auto-generated using sepolicy manpage .
373
374
376 selinux(8), mozilla(8), semanage(8), restorecon(8), chcon(1), sepol‐
377 icy(8), setsebool(8), mozilla_plugin_selinux(8),
378 mozilla_plugin_selinux(8), mozilla_plugin_config_selinux(8),
379 mozilla_plugin_config_selinux(8)
380
381
382
383mozilla 21-06-09 mozilla_selinux(8)