mozilla_selinux(8)

1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/firefox[^/]*/mozilla-.*,
32       /usr/lib/mozilla[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/epiphany,
35       /usr/bin/netscape,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to deny user domains applications to map a memory region as
75       both  executable  and  writable,  this  is dangerous and the executable
76       should be reported in bugzilla, you must turn on the deny_execmem bool‐
77       ean. Enabled by default.
78
79       setsebool -P deny_execmem 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow system to run with  NIS,  you  must  turn  on  the
91       nis_enabled boolean. Disabled by default.
92
93       setsebool -P nis_enabled 1
94
95
96
97       If  you  want to allow regular users direct dri device access, you must
98       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
99
100       setsebool -P selinuxuser_direct_dri_enabled 1
101
102
103
104       If you want to allow unconfined executables to make  their  stack  exe‐
105       cutable.   This  should  never, ever be necessary. Probably indicates a
106       badly coded executable, but could indicate an attack.  This  executable
107       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
108       stack boolean. Enabled by default.
109
110       setsebool -P selinuxuser_execstack 1
111
112
113
114       If you want to allows clients to write to the X  server  shared  memory
115       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
116       abled by default.
117
118       setsebool -P xserver_clients_write_xshm 1
119
120
121

MANAGED FILES

123       The SELinux process type mozilla_t can manage files  labeled  with  the
124       following file types.  The paths listed are the default paths for these
125       file types.  Note the processes UID still need to have DAC permissions.
126
127       cifs_t
128
129
130       ecryptfs_t
131
132            /home/[^/]+/.Private(/.*)?
133            /home/[^/]+/.ecryptfs(/.*)?
134
135       fusefs_t
136
137            /var/run/user/[^/]*/gvfs
138
139       gnome_home_type
140
141
142       krb5_host_rcache_t
143
144            /var/tmp/krb5_0.rcache2
145            /var/cache/krb5rcache(/.*)?
146            /var/tmp/nfs_0
147            /var/tmp/DNS_25
148            /var/tmp/host_0
149            /var/tmp/imap_0
150            /var/tmp/HTTP_23
151            /var/tmp/HTTP_48
152            /var/tmp/ldap_55
153            /var/tmp/ldap_487
154            /var/tmp/ldapmap1_0
155
156       mozilla_home_t
157
158            /home/[^/]+/.lyx(/.*)?
159            /home/[^/]+/.java(/.*)?
160            /home/[^/]+/.adobe(/.*)?
161            /home/[^/]+/.gnash(/.*)?
162            /home/[^/]+/.webex(/.*)?
163            /home/[^/]+/.IBMERS(/.*)?
164            /home/[^/]+/.galeon(/.*)?
165            /home/[^/]+/.spicec(/.*)?
166            /home/[^/]+/POkemon.*(/.*)?
167            /home/[^/]+/.icedtea(/.*)?
168            /home/[^/]+/.mozilla(/.*)?
169            /home/[^/]+/.phoenix(/.*)?
170            /home/[^/]+/.netscape(/.*)?
171            /home/[^/]+/.ICAClient(/.*)?
172            /home/[^/]+/.quakelive(/.*)?
173            /home/[^/]+/.macromedia(/.*)?
174            /home/[^/]+/.thunderbird(/.*)?
175            /home/[^/]+/.gcjwebplugin(/.*)?
176            /home/[^/]+/.grl-podcasts(/.*)?
177            /home/[^/]+/.cache/mozilla(/.*)?
178            /home/[^/]+/.icedteaplugin(/.*)?
179            /home/[^/]+/zimbrauserdata(/.*)?
180            /home/[^/]+/.juniper_networks(/.*)?
181            /home/[^/]+/.cache/icedtea-web(/.*)?
182            /home/[^/]+/abc
183            /home/[^/]+/mozilla.pdf
184            /home/[^/]+/.gnashpluginrc
185
186       mozilla_tmp_t
187
188
189       mozilla_tmpfs_t
190
191
192       nfs_t
193
194
195       pulseaudio_home_t
196
197            /root/.pulse(/.*)?
198            /root/.config/pulse(/.*)?
199            /root/.esd_auth
200            /root/.pulse-cookie
201            /home/[^/]+/.pulse(/.*)?
202            /home/[^/]+/.config/pulse(/.*)?
203            /home/[^/]+/.esd_auth
204            /home/[^/]+/.pulse-cookie
205
206       user_fonts_cache_t
207
208            /root/.fontconfig(/.*)?
209            /root/.fonts/auto(/.*)?
210            /root/.fonts.cache-.*
211            /root/.cache/fontconfig(/.*)?
212            /home/[^/]+/.fontconfig(/.*)?
213            /home/[^/]+/.fonts/auto(/.*)?
214            /home/[^/]+/.fonts.cache-.*
215            /home/[^/]+/.cache/fontconfig(/.*)?
216
217

FILE CONTEXTS

219       SELinux requires files to have an extended attribute to define the file
220       type.
221
222       You can see the context of a file using the -Z option to ls
223
224       Policy  governs  the  access  confined  processes  have to these files.
225       SELinux mozilla policy is very flexible allowing users to  setup  their
226       mozilla processes in as secure a method as possible.
227
228       STANDARD FILE CONTEXT
229
230       SELinux  defines  the file context types for the mozilla, if you wanted
231       to store files with these types in a diffent paths, you need to execute
232       the  semanage  command  to  specify alternate labeling and then use re‐
233       storecon to put the labels on disk.
234
235       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
236       restorecon -R -v /srv/mymozilla_content
237
238       Note: SELinux often uses regular expressions  to  specify  labels  that
239       match multiple files.
240
241       The following file types are defined for mozilla:
242
243
244
245       mozilla_conf_t
246
247       -  Set  files  with  the  mozilla_conf_t type, if you want to treat the
248       files as mozilla configuration data, usually stored under the /etc  di‐
249       rectory.
250
251
252
253       mozilla_exec_t
254
255       -  Set files with the mozilla_exec_t type, if you want to transition an
256       executable to the mozilla_t domain.
257
258
259       Paths:
260            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
261            fox[^/]*/firefox-bin,  /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
262            fox[^/]*/mozilla-.*,             /usr/lib/mozilla[^/]*/mozilla-.*,
263            /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
264            nicator-smotif.real,                 /usr/bin/mozilla-bin-[0-9].*,
265            /usr/bin/mozilla,       /usr/bin/epiphany,      /usr/bin/netscape,
266            /usr/bin/epiphany-bin,  /usr/lib/galeon/galeon,  /usr/bin/mozilla-
267            snapshot, /usr/lib/netscape/base-4/wrapper
268
269
270       mozilla_home_t
271
272       -  Set files with the mozilla_home_t type, if you want to store mozilla
273       files in the users home directory.
274
275
276       Paths:
277            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
278            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
279            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.IBMERS(/.*)?,
280            /home/[^/]+/.galeon(/.*)?,              /home/[^/]+/.spicec(/.*)?,
281            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.icedtea(/.*)?,
282            /home/[^/]+/.mozilla(/.*)?,            /home/[^/]+/.phoenix(/.*)?,
283            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.ICAClient(/.*)?,
284            /home/[^/]+/.quakelive(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
285            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
286            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
287            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
288            data(/.*)?,                   /home/[^/]+/.juniper_networks(/.*)?,
289            /home/[^/]+/.cache/icedtea-web(/.*)?,             /home/[^/]+/abc,
290            /home/[^/]+/mozilla.pdf, /home/[^/]+/.gnashpluginrc
291
292
293       mozilla_plugin_config_exec_t
294
295       -  Set files with the mozilla_plugin_config_exec_t type, if you want to
296       transition an executable to the mozilla_plugin_config_t domain.
297
298
299
300       mozilla_plugin_exec_t
301
302       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
303       tion an executable to the mozilla_plugin_t domain.
304
305
306       Paths:
307            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
308            per/npviewer.bin, /usr/bin/nspluginscan,  /usr/bin/nspluginviewer,
309            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
310            tainer
311
312
313       mozilla_plugin_rw_t
314
315       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
316       files as mozilla plugin read/write content.
317
318
319
320       mozilla_plugin_tmp_t
321
322       -  Set  files  with the mozilla_plugin_tmp_t type, if you want to store
323       mozilla plugin temporary files in the /tmp directories.
324
325
326
327       mozilla_plugin_tmpfs_t
328
329       - Set files with the mozilla_plugin_tmpfs_t type, if you want to  store
330       mozilla plugin files on a tmpfs file system.
331
332
333
334       mozilla_tmp_t
335
336       -  Set  files with the mozilla_tmp_t type, if you want to store mozilla
337       temporary files in the /tmp directories.
338
339
340
341       mozilla_tmpfs_t
342
343       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
344       files on a tmpfs file system.
345
346
347
348       Note:  File context can be temporarily modified with the chcon command.
349       If you want to permanently change the file context you need to use  the
350       semanage fcontext command.  This will modify the SELinux labeling data‐
351       base.  You will need to use restorecon to apply the labels.
352
353

COMMANDS

355       semanage fcontext can also be used to manipulate default  file  context
356       mappings.
357
358       semanage  permissive  can  also  be used to manipulate whether or not a
359       process type is permissive.
360
361       semanage module can also be used to enable/disable/install/remove  pol‐
362       icy modules.
363
364       semanage boolean can also be used to manipulate the booleans
365
366
367       system-config-selinux is a GUI tool available to customize SELinux pol‐
368       icy settings.
369
370

AUTHOR

372       This manual page was auto-generated using sepolicy manpage .
373
374