[people/stevee/selinux-policy.git] / policy / modules / apps / mozilla.te

policy_module(mozilla, 2.2.2)

########################################
#
# Declarations
#

## <desc>
## <p>
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content, false)

type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
application_domain(mozilla_t, mozilla_exec_t)
ubac_constrained(mozilla_t)

type mozilla_conf_t;
files_config_file(mozilla_conf_t)

type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)

type mozilla_tmpfs_t;
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)

type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;

type mozilla_plugin_tmp_t;
files_tmp_file(mozilla_plugin_tmp_t)

type mozilla_plugin_tmpfs_t;
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)

permissive mozilla_plugin_t;

########################################
#
# Local policy
#

allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
allow mozilla_t self:shm { unix_read unix_write read write destroy create };
allow mozilla_t self:sem create_sem_perms;
allow mozilla_t self:socket create_socket_perms;
allow mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow mozilla_t self:tcp_socket create_socket_perms;
allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;

# for bash - old mozilla binary
can_exec(mozilla_t, mozilla_exec_t)

# X access, Home files
manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t)
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)

# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;

manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
# Access /proc, sysctl
kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t)

# Look for plugins
corecmd_list_bin(mozilla_t)
# for bash - old mozilla binary
corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)

# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled(mozilla_t)
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
corenet_raw_sendrecv_generic_if(mozilla_t)
corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_squid_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_tcp_connect_speech_port(mozilla_t)

dev_read_urand(mozilla_t)
dev_read_rand(mozilla_t)
dev_write_sound(mozilla_t)
dev_read_sound(mozilla_t)
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)

domain_dontaudit_read_all_domains_state(mozilla_t)

files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
# /var/lib
files_read_var_lib_files(mozilla_t)
# interacting with gstreamer
files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)

fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
fs_rw_tmpfs_files(mozilla_t)

term_dontaudit_getattr_pty_dirs(mozilla_t)

logging_send_syslog_msg(mozilla_t)

miscfiles_read_fonts(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)

# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)

userdom_use_user_ptys(mozilla_t)

xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)

tunable_policy(`allow_execmem',`
	allow mozilla_t self:process { execmem execstack };
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(mozilla_t)
	fs_manage_nfs_files(mozilla_t)
	fs_manage_nfs_symlinks(mozilla_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(mozilla_t)
	fs_manage_cifs_files(mozilla_t)
	fs_manage_cifs_symlinks(mozilla_t)
')

# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(mozilla_t)
	files_list_home(mozilla_t)
	fs_read_nfs_files(mozilla_t)
	fs_read_nfs_symlinks(mozilla_t)

',`
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	fs_dontaudit_read_nfs_files(mozilla_t)
	fs_dontaudit_list_nfs(mozilla_t)
')

tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
	fs_list_auto_mountpoints(mozilla_t)
	files_list_home(mozilla_t)
	fs_read_cifs_files(mozilla_t)
	fs_read_cifs_symlinks(mozilla_t)
',`
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	fs_dontaudit_read_cifs_files(mozilla_t)
	fs_dontaudit_list_cifs(mozilla_t)
')

tunable_policy(`mozilla_read_content',`
	userdom_list_user_tmp(mozilla_t)
	userdom_read_user_tmp_files(mozilla_t)
	userdom_read_user_tmp_symlinks(mozilla_t)
	userdom_read_user_home_content_files(mozilla_t)
	userdom_read_user_home_content_symlinks(mozilla_t)

	ifdef(`enable_mls',`',`
		fs_search_removable(mozilla_t)
		fs_read_removable_files(mozilla_t)
		fs_read_removable_symlinks(mozilla_t)
	')
',`
	files_dontaudit_list_tmp(mozilla_t)
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_removable(mozilla_t)
	fs_dontaudit_read_removable_files(mozilla_t)
	userdom_dontaudit_list_user_tmp(mozilla_t)
	userdom_dontaudit_read_user_tmp_files(mozilla_t)
	userdom_dontaudit_list_user_home_dirs(mozilla_t)
	userdom_dontaudit_read_user_home_content_files(mozilla_t)
')

optional_policy(`
	apache_read_user_scripts(mozilla_t)
	apache_read_user_content(mozilla_t)
')

optional_policy(`
	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
')

optional_policy(`
	cups_read_rw_config(mozilla_t)
	cups_dbus_chat(mozilla_t)
')

optional_policy(`
	dbus_system_bus_client(mozilla_t)
	dbus_session_bus_client(mozilla_t)

	optional_policy(`
		networkmanager_dbus_chat(mozilla_t)
	')
')

optional_policy(`
	gnome_stream_connect_gconf(mozilla_t)
	gnome_manage_config(mozilla_t)
	gnome_manage_gconf_home_files(mozilla_t)
')

optional_policy(`
	java_domtrans(mozilla_t)
')

optional_policy(`
	lpd_domtrans_lpr(mozilla_t)
')

optional_policy(`
	mplayer_domtrans(mozilla_t)
	mplayer_read_user_home_files(mozilla_t)
')

optional_policy(`
	nscd_socket_use(mozilla_t)
')

optional_policy(`
	nsplugin_manage_rw(mozilla_t)
	nsplugin_manage_home_files(mozilla_t)
')

optional_policy(`
	pulseaudio_exec(mozilla_t)
	pulseaudio_stream_connect(mozilla_t)
	pulseaudio_manage_home_files(mozilla_t)
')

optional_policy(`
	thunderbird_domtrans(mozilla_t)
')

########################################
#
# mozilla_plugin local policy
#
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;

allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };

can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)

manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)

manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })

can_exec(mozilla_plugin_t, mozilla_exec_t)

kernel_read_kernel_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)

corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)

corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_streaming_port(mozilla_plugin_t)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)

dev_read_urand(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
dev_read_sound(mozilla_plugin_t)
dev_write_sound(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)

domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)

files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)

fs_getattr_tmpfs(mozilla_plugin_t)

application_dontaudit_signull(mozilla_plugin_t)

miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)

sysnet_dns_name_resolve(mozilla_plugin_t)

term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)

userdom_rw_user_tmpfs_files(mozilla_plugin_t)
userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_stream_connect(mozilla_plugin_t)
userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
userdom_manage_user_tmp_sockets(mozilla_plugin_t)

userdom_list_user_tmp(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
userdom_read_user_tmp_files(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_t)

optional_policy(`
	alsa_read_rw_config(mozilla_plugin_t)
	alsa_read_home_files(mozilla_plugin_t)
')

optional_policy(`
	dbus_session_bus_client(mozilla_plugin_t)
	dbus_read_lib_files(mozilla_plugin_t)
')

optional_policy(`
	gnome_manage_config(mozilla_plugin_t)
	gnome_setattr_home_config(mozilla_plugin_t)
')

optional_policy(`
	nsplugin_domtrans(mozilla_plugin_t)
	nsplugin_rw_exec(mozilla_plugin_t)
	nsplugin_manage_home_dirs(mozilla_plugin_t)
	nsplugin_manage_home_files(mozilla_plugin_t)
	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
	nsplugin_signal(mozilla_plugin_t)
')

optional_policy(`
	pulseaudio_exec(mozilla_plugin_t)
	pulseaudio_stream_connect(mozilla_plugin_t)
	pulseaudio_setattr_home_dir(mozilla_plugin_t)
	pulseaudio_manage_home_files(mozilla_plugin_t)
')

optional_policy(`
	xserver_read_xdm_pid(mozilla_plugin_t)
	xserver_stream_connect(mozilla_plugin_t)
	xserver_use_user_fonts(mozilla_plugin_t)
	xserver_read_user_iceauth(mozilla_plugin_t)
')
Commit	Line	Data
4b76ea5f	1	policy_module(mozilla, 2.2.2)
9105f90b CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2 CP	8	## <desc>
	9	## <p>
	10	## Control mozilla content access
	11	## </p>
	12	## </desc>
0bfccda4	13	gen_tunable(mozilla_read_content, false)
56e1b3d2	14
296273a7 CP	15	type mozilla_t;
	16	type mozilla_exec_t;
	17	typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
	18	typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
	19	application_domain(mozilla_t, mozilla_exec_t)
	20	ubac_constrained(mozilla_t)
	21
9105f90b CP	22	type mozilla_conf_t;
	23	files_config_file(mozilla_conf_t)
	24
296273a7 CP	25	type mozilla_home_t;
	26	typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
	27	typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
3eaa9939	28	files_poly_member(mozilla_home_t)
296273a7 CP	29	userdom_user_home_content(mozilla_home_t)
	30
	31	type mozilla_tmpfs_t;
	32	typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
	33	typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
	34	files_tmpfs_file(mozilla_tmpfs_t)
	35	ubac_constrained(mozilla_tmpfs_t)
	36
3eaa9939 DW	37	type mozilla_plugin_t;
	38	type mozilla_plugin_exec_t;
	39	application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
	40	role system_r types mozilla_plugin_t;
	41
ef98a374 DW	42	type mozilla_plugin_tmp_t;
	43	files_tmp_file(mozilla_plugin_tmp_t)
	44
f5b49a5e DW	45	type mozilla_plugin_tmpfs_t;
	46	files_tmpfs_file(mozilla_plugin_tmpfs_t)
	47	ubac_constrained(mozilla_plugin_tmpfs_t)
	48
3eaa9939 DW	49	permissive mozilla_plugin_t;
3eaa9939 DW	50
296273a7 CP	51	########################################
	52	#
	53	# Local policy
	54	#
	55
	56	allow mozilla_t self:capability { sys_nice setgid setuid };
	57	allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
	58	allow mozilla_t self:fifo_file rw_fifo_file_perms;
	59	allow mozilla_t self:shm { unix_read unix_write read write destroy create };
	60	allow mozilla_t self:sem create_sem_perms;
	61	allow mozilla_t self:socket create_socket_perms;
	62	allow mozilla_t self:unix_stream_socket { listen accept };
	63	# Browse the web, connect to printer
	64	allow mozilla_t self:tcp_socket create_socket_perms;
	65	allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
	66
	67	# for bash - old mozilla binary
	68	can_exec(mozilla_t, mozilla_exec_t)
	69
	70	# X access, Home files
	71	manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	72	manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	73	manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	74	userdom_search_user_home_dirs(mozilla_t)
b77daab0	75	userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
296273a7 CP	76
	77	# Mozpluggerrc
	78	allow mozilla_t mozilla_conf_t:file read_file_perms;
	79
	80	manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	81	manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	82	manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	83	manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	84	fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
	85
	86	kernel_read_kernel_sysctls(mozilla_t)
	87	kernel_read_network_state(mozilla_t)
	88	# Access /proc, sysctl
	89	kernel_read_system_state(mozilla_t)
	90	kernel_read_net_sysctls(mozilla_t)
	91
b77daab0	92	# Look for plugins
296273a7 CP	93	corecmd_list_bin(mozilla_t)
	94	# for bash - old mozilla binary
	95	corecmd_exec_shell(mozilla_t)
	96	corecmd_exec_bin(mozilla_t)
	97
	98	# Browse the web, connect to printer
	99	corenet_all_recvfrom_unlabeled(mozilla_t)
	100	corenet_all_recvfrom_netlabel(mozilla_t)
	101	corenet_tcp_sendrecv_generic_if(mozilla_t)
	102	corenet_raw_sendrecv_generic_if(mozilla_t)
c1262146 CP	103	corenet_tcp_sendrecv_generic_node(mozilla_t)
c1262146 CP	104	corenet_raw_sendrecv_generic_node(mozilla_t)
296273a7 CP	105	corenet_tcp_sendrecv_http_port(mozilla_t)
296273a7 CP	106	corenet_tcp_sendrecv_http_cache_port(mozilla_t)
3eaa9939 DW	107	corenet_tcp_sendrecv_squid_port(mozilla_t)
3eaa9939 DW	108	corenet_tcp_connect_flash_port(mozilla_t)
296273a7 CP	109	corenet_tcp_sendrecv_ftp_port(mozilla_t)
	110	corenet_tcp_sendrecv_ipp_port(mozilla_t)
	111	corenet_tcp_connect_http_port(mozilla_t)
	112	corenet_tcp_connect_http_cache_port(mozilla_t)
3eaa9939	113	corenet_tcp_connect_squid_port(mozilla_t)
296273a7 CP	114	corenet_tcp_connect_ftp_port(mozilla_t)
	115	corenet_tcp_connect_ipp_port(mozilla_t)
	116	corenet_tcp_connect_generic_port(mozilla_t)
b77daab0	117	corenet_tcp_connect_soundd_port(mozilla_t)
296273a7 CP	118	corenet_sendrecv_http_client_packets(mozilla_t)
296273a7 CP	119	corenet_sendrecv_http_cache_client_packets(mozilla_t)
3eaa9939	120	corenet_sendrecv_squid_client_packets(mozilla_t)
296273a7 CP	121	corenet_sendrecv_ftp_client_packets(mozilla_t)
	122	corenet_sendrecv_ipp_client_packets(mozilla_t)
	123	corenet_sendrecv_generic_client_packets(mozilla_t)
	124	# Should not need other ports
	125	corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
	126	corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
06625d30	127	corenet_tcp_connect_speech_port(mozilla_t)
296273a7 CP	128
	129	dev_read_urand(mozilla_t)
	130	dev_read_rand(mozilla_t)
	131	dev_write_sound(mozilla_t)
	132	dev_read_sound(mozilla_t)
	133	dev_dontaudit_rw_dri(mozilla_t)
	134	dev_getattr_sysfs_dirs(mozilla_t)
	135
b77daab0 CP	136	domain_dontaudit_read_all_domains_state(mozilla_t)
b77daab0 CP	137
296273a7 CP	138	files_read_etc_runtime_files(mozilla_t)
	139	files_read_usr_files(mozilla_t)
	140	files_read_etc_files(mozilla_t)
	141	# /var/lib
	142	files_read_var_lib_files(mozilla_t)
	143	# interacting with gstreamer
	144	files_read_var_files(mozilla_t)
	145	files_read_var_symlinks(mozilla_t)
	146	files_dontaudit_getattr_boot_dirs(mozilla_t)
	147
	148	fs_search_auto_mountpoints(mozilla_t)
	149	fs_list_inotifyfs(mozilla_t)
	150	fs_rw_tmpfs_files(mozilla_t)
	151
	152	term_dontaudit_getattr_pty_dirs(mozilla_t)
	153
	154	logging_send_syslog_msg(mozilla_t)
	155
	156	miscfiles_read_fonts(mozilla_t)
	157	miscfiles_read_localization(mozilla_t)
3c1e8ff6	158	miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
296273a7 CP	159
	160	# Browse the web, connect to printer
	161	sysnet_dns_name_resolve(mozilla_t)
	162
3c1e8ff6	163	userdom_use_user_ptys(mozilla_t)
296273a7 CP	164
	165	xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
	166	xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
	167	xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
	168
	169	tunable_policy(`allow_execmem',`
	170	allow mozilla_t self:process { execmem execstack };
	171	')
	172
	173	tunable_policy(`use_nfs_home_dirs',`
	174	fs_manage_nfs_dirs(mozilla_t)
	175	fs_manage_nfs_files(mozilla_t)
	176	fs_manage_nfs_symlinks(mozilla_t)
	177	')
	178
	179	tunable_policy(`use_samba_home_dirs',`
	180	fs_manage_cifs_dirs(mozilla_t)
	181	fs_manage_cifs_files(mozilla_t)
	182	fs_manage_cifs_symlinks(mozilla_t)
	183	')
	184
	185	# Uploads, local html
	186	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
	187	fs_list_auto_mountpoints(mozilla_t)
	188	files_list_home(mozilla_t)
	189	fs_read_nfs_files(mozilla_t)
	190	fs_read_nfs_symlinks(mozilla_t)
	191
	192	',`
	193	files_dontaudit_list_home(mozilla_t)
	194	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	195	fs_dontaudit_read_nfs_files(mozilla_t)
	196	fs_dontaudit_list_nfs(mozilla_t)
	197	')
	198
	199	tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
	200	fs_list_auto_mountpoints(mozilla_t)
	201	files_list_home(mozilla_t)
	202	fs_read_cifs_files(mozilla_t)
	203	fs_read_cifs_symlinks(mozilla_t)
	204	',`
	205	files_dontaudit_list_home(mozilla_t)
	206	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	207	fs_dontaudit_read_cifs_files(mozilla_t)
	208	fs_dontaudit_list_cifs(mozilla_t)
	209	')
	210
	211	tunable_policy(`mozilla_read_content',`
	212	userdom_list_user_tmp(mozilla_t)
	213	userdom_read_user_tmp_files(mozilla_t)
	214	userdom_read_user_tmp_symlinks(mozilla_t)
	215	userdom_read_user_home_content_files(mozilla_t)
	216	userdom_read_user_home_content_symlinks(mozilla_t)
	217
	218	ifdef(`enable_mls',`',`
	219	fs_search_removable(mozilla_t)
	220	fs_read_removable_files(mozilla_t)
	221	fs_read_removable_symlinks(mozilla_t)
	222	')
	223	',`
	224	files_dontaudit_list_tmp(mozilla_t)
	225	files_dontaudit_list_home(mozilla_t)
	226	fs_dontaudit_list_removable(mozilla_t)
	227	fs_dontaudit_read_removable_files(mozilla_t)
228	userdom_dontaudit_list_user_tmp(mozilla_t)
229	userdom_dontaudit_read_user_tmp_files(mozilla_t)
230	userdom_dontaudit_list_user_home_dirs(mozilla_t)
231	userdom_dontaudit_read_user_home_content_files(mozilla_t)
232	')
233
296273a7 CP	234	optional_policy(`
	235	apache_read_user_scripts(mozilla_t)
	236	apache_read_user_content(mozilla_t)
	237	')
	238
	239	optional_policy(`
	240	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
	241	')
	242
	243	optional_policy(`
	244	cups_read_rw_config(mozilla_t)
	245	cups_dbus_chat(mozilla_t)
	246	')
	247
	248	optional_policy(`
	249	dbus_system_bus_client(mozilla_t)
	250	dbus_session_bus_client(mozilla_t)
b77daab0 CP	251
	252	optional_policy(`
	253	networkmanager_dbus_chat(mozilla_t)
	254	')
296273a7 CP	255	')
	256
	257	optional_policy(`
	258	gnome_stream_connect_gconf(mozilla_t)
06625d30	259	gnome_manage_config(mozilla_t)
3eaa9939	260	gnome_manage_gconf_home_files(mozilla_t)
296273a7 CP	261	')
	262
	263	optional_policy(`
	264	java_domtrans(mozilla_t)
	265	')
	266
	267	optional_policy(`
	268	lpd_domtrans_lpr(mozilla_t)
	269	')
	270
	271	optional_policy(`
	272	mplayer_domtrans(mozilla_t)
	273	mplayer_read_user_home_files(mozilla_t)
	274	')
	275
	276	optional_policy(`
	277	nscd_socket_use(mozilla_t)
	278	')
	279
3eaa9939 DW	280	optional_policy(`
	281	nsplugin_manage_rw(mozilla_t)
	282	nsplugin_manage_home_files(mozilla_t)
	283	')
	284
3c1e8ff6 CP	285	optional_policy(`
	286	pulseaudio_exec(mozilla_t)
	287	pulseaudio_stream_connect(mozilla_t)
	288	pulseaudio_manage_home_files(mozilla_t)
	289	')
	290
296273a7 CP	291	optional_policy(`
	292	thunderbird_domtrans(mozilla_t)
	293	')
3eaa9939 DW	294
	295	########################################
	296	#
	297	# mozilla_plugin local policy
	298	#
f5b49a5e	299	allow mozilla_plugin_t self:process { setsched signal_perms execmem };
4e6b3f6d DW	300	allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
	301	allow mozilla_plugin_t self:tcp_socket create_socket_perms;
	302	allow mozilla_plugin_t self:udp_socket create_socket_perms;
3eaa9939 DW	303
	304	allow mozilla_plugin_t self:sem create_sem_perms;
	305	allow mozilla_plugin_t self:shm create_shm_perms;
	306	allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
	307	allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
	308
7cfb9354	309	can_exec(mozilla_plugin_t, mozilla_home_t)
4e6b3f6d	310	read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
3eaa9939	311
ef98a374 DW	312	manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
	313	manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
	314	files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
ddd1ccaa	315	can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
ef98a374	316
f5b49a5e DW	317	manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	318	manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	319	manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	320	manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	321	fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
	322
0b8f4cfe DW	323	can_exec(mozilla_plugin_t, mozilla_exec_t)
0b8f4cfe DW	324
3eaa9939 DW	325	kernel_read_kernel_sysctls(mozilla_plugin_t)
	326	kernel_read_system_state(mozilla_plugin_t)
	327	kernel_request_load_module(mozilla_plugin_t)
	328
	329	corecmd_exec_bin(mozilla_plugin_t)
	330	corecmd_exec_shell(mozilla_plugin_t)
	331
b45aaab9 DW	332	corenet_tcp_connect_flash_port(mozilla_plugin_t)
	333	corenet_tcp_connect_streaming_port(mozilla_plugin_t)
	334	corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
	335	corenet_tcp_connect_http_port(mozilla_plugin_t)
	336	corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
	337	corenet_tcp_connect_squid_port(mozilla_plugin_t)
	338	corenet_tcp_connect_ipp_port(mozilla_plugin_t)
	339	corenet_tcp_connect_speech_port(mozilla_plugin_t)
	340
3eaa9939	341	dev_read_urand(mozilla_plugin_t)
f5b49a5e	342	dev_read_video_dev(mozilla_plugin_t)
b45aaab9	343	dev_write_video_dev(mozilla_plugin_t)
f5b49a5e	344	dev_read_sysfs(mozilla_plugin_t)
0b8f4cfe DW	345	dev_read_sound(mozilla_plugin_t)
0b8f4cfe DW	346	dev_write_sound(mozilla_plugin_t)
4e6b3f6d	347	dev_dontaudit_rw_dri(mozilla_plugin_t)
3eaa9939 DW	348
	349	domain_use_interactive_fds(mozilla_plugin_t)
	350	domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
	351
	352	files_read_config_files(mozilla_plugin_t)
	353	files_read_usr_files(mozilla_plugin_t)
	354
dfe675b8	355	fs_getattr_tmpfs(mozilla_plugin_t)
ef98a374	356
751ec039 DW	357	application_dontaudit_signull(mozilla_plugin_t)
751ec039 DW	358
3eaa9939	359	miscfiles_read_localization(mozilla_plugin_t)
f5b49a5e	360	miscfiles_read_fonts(mozilla_plugin_t)
3eaa9939	361
79bff2bb DW	362	sysnet_dns_name_resolve(mozilla_plugin_t)
79bff2bb DW	363
3eaa9939 DW	364	term_getattr_all_ttys(mozilla_plugin_t)
	365	term_getattr_all_ptys(mozilla_plugin_t)
	366
ef98a374	367	userdom_rw_user_tmpfs_files(mozilla_plugin_t)
5212892e	368	userdom_delete_user_tmpfs_files(mozilla_plugin_t)
f5b49a5e DW	369	userdom_stream_connect(mozilla_plugin_t)
f5b49a5e DW	370	userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
ddd1ccaa	371	userdom_manage_user_tmp_sockets(mozilla_plugin_t)
4e6b3f6d DW	372
4e6b3f6d DW	373	userdom_list_user_tmp(mozilla_plugin_t)
d1c6ba20	374	userdom_manage_user_tmp_dirs(mozilla_plugin_t)
4e6b3f6d DW	375	userdom_read_user_tmp_files(mozilla_plugin_t)
	376	userdom_read_user_tmp_symlinks(mozilla_plugin_t)
	377	userdom_read_user_home_content_files(mozilla_plugin_t)
5212892e	378	userdom_read_user_home_content_files(mozilla_plugin_t)
4e6b3f6d	379	userdom_read_user_home_content_symlinks(mozilla_plugin_t)
f5b49a5e	380
0b8f4cfe DW	381	optional_policy(`
0b8f4cfe DW	382	alsa_read_rw_config(mozilla_plugin_t)
b45aaab9	383	alsa_read_home_files(mozilla_plugin_t)
0b8f4cfe DW	384	')
0b8f4cfe DW	385
f5b49a5e	386	optional_policy(`
4e6b3f6d	387	dbus_session_bus_client(mozilla_plugin_t)
f5b49a5e DW	388	dbus_read_lib_files(mozilla_plugin_t)
	389	')
	390
	391	optional_policy(`
79bff2bb	392	gnome_manage_config(mozilla_plugin_t)
5ef740e5	393	gnome_setattr_home_config(mozilla_plugin_t)
f5b49a5e	394	')
ef98a374	395
3eaa9939 DW	396	optional_policy(`
	397	nsplugin_domtrans(mozilla_plugin_t)
	398	nsplugin_rw_exec(mozilla_plugin_t)
da073333	399	nsplugin_manage_home_dirs(mozilla_plugin_t)
f5b49a5e	400	nsplugin_manage_home_files(mozilla_plugin_t)
79bff2bb	401	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
6ed3f15e	402	nsplugin_signal(mozilla_plugin_t)
f5b49a5e DW	403	')
	404
	405	optional_policy(`
b45aaab9 DW	406	pulseaudio_exec(mozilla_plugin_t)
b45aaab9 DW	407	pulseaudio_stream_connect(mozilla_plugin_t)
79bff2bb	408	pulseaudio_setattr_home_dir(mozilla_plugin_t)
b45aaab9	409	pulseaudio_manage_home_files(mozilla_plugin_t)
3eaa9939 DW	410	')
	411
	412	optional_policy(`
	413	xserver_read_xdm_pid(mozilla_plugin_t)
	414	xserver_stream_connect(mozilla_plugin_t)
0b8f4cfe	415	xserver_use_user_fonts(mozilla_plugin_t)
ddd1ccaa	416	xserver_read_user_iceauth(mozilla_plugin_t)
3eaa9939	417	')