[people/stevee/selinux-policy.git] / policy / modules / apps / mozilla.te

policy_module(mozilla, 2.3.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## allow confined web browsers to read home directory content
## </p>
## </desc>
gen_tunable(mozilla_read_content, false)

type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
application_domain(mozilla_t, mozilla_exec_t)
ubac_constrained(mozilla_t)

type mozilla_conf_t;
files_config_file(mozilla_conf_t)

type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)

type mozilla_tmpfs_t;
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)

type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;

type mozilla_plugin_tmp_t;
files_tmp_file(mozilla_plugin_tmp_t)

type mozilla_plugin_tmpfs_t;
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)

permissive mozilla_plugin_t;

########################################
#
# Local policy
#

allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
allow mozilla_t self:shm { unix_read unix_write read write destroy create };
allow mozilla_t self:sem create_sem_perms;
allow mozilla_t self:socket create_socket_perms;
allow mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow mozilla_t self:tcp_socket create_socket_perms;
allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;

# for bash - old mozilla binary
can_exec(mozilla_t, mozilla_exec_t)

# X access, Home files
manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t)
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)

# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;

manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
# Access /proc, sysctl
kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t)

# Look for plugins
corecmd_list_bin(mozilla_t)
# for bash - old mozilla binary
corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)

# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled(mozilla_t)
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
corenet_raw_sendrecv_generic_if(mozilla_t)
corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_squid_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_tcp_connect_speech_port(mozilla_t)

dev_read_urand(mozilla_t)
dev_read_rand(mozilla_t)
dev_write_sound(mozilla_t)
dev_read_sound(mozilla_t)
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)

domain_dontaudit_read_all_domains_state(mozilla_t)

files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
# /var/lib
files_read_var_lib_files(mozilla_t)
# interacting with gstreamer
files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)

fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
fs_rw_tmpfs_files(mozilla_t)

term_dontaudit_getattr_pty_dirs(mozilla_t)

logging_send_syslog_msg(mozilla_t)

miscfiles_read_fonts(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)

# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)

userdom_use_user_ptys(mozilla_t)

xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)

tunable_policy(`allow_execmem',`
	allow mozilla_t self:process { execmem execstack };
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(mozilla_t)
	fs_manage_nfs_files(mozilla_t)
	fs_manage_nfs_symlinks(mozilla_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(mozilla_t)
	fs_manage_cifs_files(mozilla_t)
	fs_manage_cifs_symlinks(mozilla_t)
')

# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(mozilla_t)
	files_list_home(mozilla_t)
	fs_read_nfs_files(mozilla_t)
	fs_read_nfs_symlinks(mozilla_t)

',`
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	fs_dontaudit_read_nfs_files(mozilla_t)
	fs_dontaudit_list_nfs(mozilla_t)
')

tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
	fs_list_auto_mountpoints(mozilla_t)
	files_list_home(mozilla_t)
	fs_read_cifs_files(mozilla_t)
	fs_read_cifs_symlinks(mozilla_t)
',`
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	fs_dontaudit_read_cifs_files(mozilla_t)
	fs_dontaudit_list_cifs(mozilla_t)
')

tunable_policy(`mozilla_read_content',`
	userdom_list_user_tmp(mozilla_t)
	userdom_read_user_tmp_files(mozilla_t)
	userdom_read_user_tmp_symlinks(mozilla_t)
	userdom_read_user_home_content_files(mozilla_t)
	userdom_read_user_home_content_symlinks(mozilla_t)

	ifdef(`enable_mls',`',`
		fs_search_removable(mozilla_t)
		fs_read_removable_files(mozilla_t)
		fs_read_removable_symlinks(mozilla_t)
	')
',`
	files_dontaudit_list_tmp(mozilla_t)
	files_dontaudit_list_home(mozilla_t)
	fs_dontaudit_list_removable(mozilla_t)
	fs_dontaudit_read_removable_files(mozilla_t)
	userdom_dontaudit_list_user_tmp(mozilla_t)
	userdom_dontaudit_read_user_tmp_files(mozilla_t)
	userdom_dontaudit_list_user_home_dirs(mozilla_t)
	userdom_dontaudit_read_user_home_content_files(mozilla_t)
')

optional_policy(`
	apache_read_user_scripts(mozilla_t)
	apache_read_user_content(mozilla_t)
')

optional_policy(`
	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
')

optional_policy(`
	cups_read_rw_config(mozilla_t)
	cups_dbus_chat(mozilla_t)
')

optional_policy(`
	dbus_system_bus_client(mozilla_t)
	dbus_session_bus_client(mozilla_t)

	optional_policy(`
		networkmanager_dbus_chat(mozilla_t)
	')
')

optional_policy(`
	gnome_stream_connect_gconf(mozilla_t)
	gnome_manage_config(mozilla_t)
	gnome_manage_gconf_home_files(mozilla_t)
')

optional_policy(`
	java_domtrans(mozilla_t)
')

optional_policy(`
	lpd_domtrans_lpr(mozilla_t)
')

optional_policy(`
	mplayer_domtrans(mozilla_t)
	mplayer_read_user_home_files(mozilla_t)
')

optional_policy(`
	nscd_socket_use(mozilla_t)
')

optional_policy(`
	nsplugin_manage_rw(mozilla_t)
	nsplugin_manage_home_files(mozilla_t)
')

optional_policy(`
	pulseaudio_exec(mozilla_t)
	pulseaudio_stream_connect(mozilla_t)
	pulseaudio_manage_home_files(mozilla_t)
')

optional_policy(`
	thunderbird_domtrans(mozilla_t)
')

########################################
#
# mozilla_plugin local policy
#

dontaudit mozilla_plugin_t self:capability { sys_ptrace };

allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;

allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };

can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)

manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)

manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })

can_exec(mozilla_plugin_t, mozilla_exec_t)

kernel_read_kernel_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_read_network_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)

corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)

corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_streaming_port(mozilla_plugin_t)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
corenet_tcp_connect_streaming_port(mozilla_plugin_t)
corenet_tcp_bind_generic_node(mozilla_plugin_t)
corenet_udp_bind_generic_node(mozilla_plugin_t)

dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
dev_read_sound(mozilla_plugin_t)
dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)

domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)

files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)

fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos_dirs(mozilla_plugin_t)
fs_read_dos_files(mozilla_plugin_t)

application_dontaudit_signull(mozilla_plugin_t)

auth_use_nsswitch(mozilla_plugin_t)

logging_send_syslog_msg(mozilla_plugin_t)

miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_certs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)

sysnet_dns_name_resolve(mozilla_plugin_t)

term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)

userdom_rw_user_tmpfs_files(mozilla_plugin_t)
userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_stream_connect(mozilla_plugin_t)
userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
userdom_manage_user_tmp_sockets(mozilla_plugin_t)
userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)

userdom_list_user_tmp(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
userdom_read_user_tmp_files(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_t)
userdom_read_home_certs(mozilla_plugin_t)
userdom_dontaudit_write_home_certs(mozilla_plugin_t)

optional_policy(`
	alsa_read_rw_config(mozilla_plugin_t)
	alsa_read_home_files(mozilla_plugin_t)
')

optional_policy(`
	dbus_system_bus_client(mozilla_plugin_t)
	dbus_session_bus_client(mozilla_plugin_t)
	dbus_read_lib_files(mozilla_plugin_t)
')

optional_policy(`
	git_dontaudit_read_session_content_files(mozilla_plugin_t)
')

optional_policy(`
	gnome_manage_config(mozilla_plugin_t)
	gnome_setattr_home_config(mozilla_plugin_t)
')

optional_policy(`
	java_exec(mozilla_plugin_t)
')

optional_policy(`
	mplayer_exec(mozilla_plugin_t)
	mplayer_read_user_home_files(mozilla_plugin_t)
')

optional_policy(`
	nsplugin_domtrans(mozilla_plugin_t)
	nsplugin_rw_exec(mozilla_plugin_t)
	nsplugin_manage_home_dirs(mozilla_plugin_t)
	nsplugin_manage_home_files(mozilla_plugin_t)
	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
	nsplugin_user_home_filetrans(mozilla_plugin_t, file)
	nsplugin_signal(mozilla_plugin_t)
')

optional_policy(`
	pulseaudio_exec(mozilla_plugin_t)
	pulseaudio_stream_connect(mozilla_plugin_t)
	pulseaudio_setattr_home_dir(mozilla_plugin_t)
	pulseaudio_manage_home_files(mozilla_plugin_t)
')

optional_policy(`
	xserver_read_xdm_pid(mozilla_plugin_t)
	xserver_stream_connect(mozilla_plugin_t)
	xserver_use_user_fonts(mozilla_plugin_t)
	xserver_read_user_iceauth(mozilla_plugin_t)
	xserver_read_user_xauth(mozilla_plugin_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(mozilla_plugin_t)
	fs_manage_nfs_files(mozilla_plugin_t)
	fs_manage_nfs_symlinks(mozilla_plugin_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(mozilla_plugin_t)
	fs_manage_cifs_files(mozilla_plugin_t)
	fs_manage_cifs_symlinks(mozilla_plugin_t)
')
Commit	Line	Data
826d0142	1	policy_module(mozilla, 2.3.0)
9105f90b CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2 CP	8	## <desc>
56e1b3d2 CP	9	## <p>
b42ceb94	10	## allow confined web browsers to read home directory content
56e1b3d2 CP	11	## </p>
56e1b3d2 CP	12	## </desc>
0bfccda4	13	gen_tunable(mozilla_read_content, false)
56e1b3d2	14
296273a7 CP	15	type mozilla_t;
	16	type mozilla_exec_t;
	17	typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
	18	typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
	19	application_domain(mozilla_t, mozilla_exec_t)
	20	ubac_constrained(mozilla_t)
	21
9105f90b CP	22	type mozilla_conf_t;
	23	files_config_file(mozilla_conf_t)
	24
296273a7 CP	25	type mozilla_home_t;
	26	typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
	27	typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
3eaa9939	28	files_poly_member(mozilla_home_t)
296273a7 CP	29	userdom_user_home_content(mozilla_home_t)
	30
	31	type mozilla_tmpfs_t;
	32	typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
	33	typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
	34	files_tmpfs_file(mozilla_tmpfs_t)
	35	ubac_constrained(mozilla_tmpfs_t)
	36
3eaa9939 DW	37	type mozilla_plugin_t;
	38	type mozilla_plugin_exec_t;
	39	application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
	40	role system_r types mozilla_plugin_t;
	41
ef98a374 DW	42	type mozilla_plugin_tmp_t;
	43	files_tmp_file(mozilla_plugin_tmp_t)
	44
f5b49a5e DW	45	type mozilla_plugin_tmpfs_t;
	46	files_tmpfs_file(mozilla_plugin_tmpfs_t)
	47	ubac_constrained(mozilla_plugin_tmpfs_t)
	48
3eaa9939 DW	49	permissive mozilla_plugin_t;
3eaa9939 DW	50
296273a7 CP	51	########################################
	52	#
	53	# Local policy
	54	#
	55
	56	allow mozilla_t self:capability { sys_nice setgid setuid };
	57	allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
	58	allow mozilla_t self:fifo_file rw_fifo_file_perms;
	59	allow mozilla_t self:shm { unix_read unix_write read write destroy create };
	60	allow mozilla_t self:sem create_sem_perms;
	61	allow mozilla_t self:socket create_socket_perms;
	62	allow mozilla_t self:unix_stream_socket { listen accept };
	63	# Browse the web, connect to printer
	64	allow mozilla_t self:tcp_socket create_socket_perms;
	65	allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
	66
	67	# for bash - old mozilla binary
	68	can_exec(mozilla_t, mozilla_exec_t)
	69
	70	# X access, Home files
	71	manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	72	manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	73	manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
	74	userdom_search_user_home_dirs(mozilla_t)
b77daab0	75	userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
296273a7 CP	76
	77	# Mozpluggerrc
	78	allow mozilla_t mozilla_conf_t:file read_file_perms;
	79
	80	manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	81	manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	82	manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	83	manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
	84	fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
	85
	86	kernel_read_kernel_sysctls(mozilla_t)
	87	kernel_read_network_state(mozilla_t)
	88	# Access /proc, sysctl
	89	kernel_read_system_state(mozilla_t)
	90	kernel_read_net_sysctls(mozilla_t)
	91
b77daab0	92	# Look for plugins
296273a7 CP	93	corecmd_list_bin(mozilla_t)
	94	# for bash - old mozilla binary
	95	corecmd_exec_shell(mozilla_t)
	96	corecmd_exec_bin(mozilla_t)
	97
	98	# Browse the web, connect to printer
	99	corenet_all_recvfrom_unlabeled(mozilla_t)
	100	corenet_all_recvfrom_netlabel(mozilla_t)
	101	corenet_tcp_sendrecv_generic_if(mozilla_t)
	102	corenet_raw_sendrecv_generic_if(mozilla_t)
c1262146 CP	103	corenet_tcp_sendrecv_generic_node(mozilla_t)
c1262146 CP	104	corenet_raw_sendrecv_generic_node(mozilla_t)
296273a7 CP	105	corenet_tcp_sendrecv_http_port(mozilla_t)
296273a7 CP	106	corenet_tcp_sendrecv_http_cache_port(mozilla_t)
3eaa9939 DW	107	corenet_tcp_sendrecv_squid_port(mozilla_t)
3eaa9939 DW	108	corenet_tcp_connect_flash_port(mozilla_t)
296273a7 CP	109	corenet_tcp_sendrecv_ftp_port(mozilla_t)
	110	corenet_tcp_sendrecv_ipp_port(mozilla_t)
	111	corenet_tcp_connect_http_port(mozilla_t)
	112	corenet_tcp_connect_http_cache_port(mozilla_t)
3eaa9939	113	corenet_tcp_connect_squid_port(mozilla_t)
296273a7 CP	114	corenet_tcp_connect_ftp_port(mozilla_t)
	115	corenet_tcp_connect_ipp_port(mozilla_t)
	116	corenet_tcp_connect_generic_port(mozilla_t)
b77daab0	117	corenet_tcp_connect_soundd_port(mozilla_t)
296273a7 CP	118	corenet_sendrecv_http_client_packets(mozilla_t)
296273a7 CP	119	corenet_sendrecv_http_cache_client_packets(mozilla_t)
3eaa9939	120	corenet_sendrecv_squid_client_packets(mozilla_t)
296273a7 CP	121	corenet_sendrecv_ftp_client_packets(mozilla_t)
	122	corenet_sendrecv_ipp_client_packets(mozilla_t)
	123	corenet_sendrecv_generic_client_packets(mozilla_t)
	124	# Should not need other ports
	125	corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
	126	corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
06625d30	127	corenet_tcp_connect_speech_port(mozilla_t)
296273a7 CP	128
	129	dev_read_urand(mozilla_t)
	130	dev_read_rand(mozilla_t)
	131	dev_write_sound(mozilla_t)
	132	dev_read_sound(mozilla_t)
	133	dev_dontaudit_rw_dri(mozilla_t)
	134	dev_getattr_sysfs_dirs(mozilla_t)
	135
b77daab0 CP	136	domain_dontaudit_read_all_domains_state(mozilla_t)
b77daab0 CP	137
296273a7 CP	138	files_read_etc_runtime_files(mozilla_t)
	139	files_read_usr_files(mozilla_t)
	140	files_read_etc_files(mozilla_t)
	141	# /var/lib
	142	files_read_var_lib_files(mozilla_t)
	143	# interacting with gstreamer
	144	files_read_var_files(mozilla_t)
	145	files_read_var_symlinks(mozilla_t)
	146	files_dontaudit_getattr_boot_dirs(mozilla_t)
	147
	148	fs_search_auto_mountpoints(mozilla_t)
	149	fs_list_inotifyfs(mozilla_t)
	150	fs_rw_tmpfs_files(mozilla_t)
	151
	152	term_dontaudit_getattr_pty_dirs(mozilla_t)
	153
	154	logging_send_syslog_msg(mozilla_t)
	155
	156	miscfiles_read_fonts(mozilla_t)
	157	miscfiles_read_localization(mozilla_t)
3c1e8ff6	158	miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
296273a7 CP	159
	160	# Browse the web, connect to printer
	161	sysnet_dns_name_resolve(mozilla_t)
	162
3c1e8ff6	163	userdom_use_user_ptys(mozilla_t)
296273a7 CP	164
	165	xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
	166	xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
	167	xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
	168
	169	tunable_policy(`allow_execmem',`
	170	allow mozilla_t self:process { execmem execstack };
	171	')
	172
	173	tunable_policy(`use_nfs_home_dirs',`
	174	fs_manage_nfs_dirs(mozilla_t)
	175	fs_manage_nfs_files(mozilla_t)
	176	fs_manage_nfs_symlinks(mozilla_t)
	177	')
	178
	179	tunable_policy(`use_samba_home_dirs',`
	180	fs_manage_cifs_dirs(mozilla_t)
	181	fs_manage_cifs_files(mozilla_t)
	182	fs_manage_cifs_symlinks(mozilla_t)
	183	')
	184
	185	# Uploads, local html
	186	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
	187	fs_list_auto_mountpoints(mozilla_t)
	188	files_list_home(mozilla_t)
	189	fs_read_nfs_files(mozilla_t)
	190	fs_read_nfs_symlinks(mozilla_t)
	191
	192	',`
	193	files_dontaudit_list_home(mozilla_t)
	194	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	195	fs_dontaudit_read_nfs_files(mozilla_t)
	196	fs_dontaudit_list_nfs(mozilla_t)
	197	')
	198
	199	tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
	200	fs_list_auto_mountpoints(mozilla_t)
	201	files_list_home(mozilla_t)
	202	fs_read_cifs_files(mozilla_t)
	203	fs_read_cifs_symlinks(mozilla_t)
	204	',`
	205	files_dontaudit_list_home(mozilla_t)
	206	fs_dontaudit_list_auto_mountpoints(mozilla_t)
	207	fs_dontaudit_read_cifs_files(mozilla_t)
	208	fs_dontaudit_list_cifs(mozilla_t)
	209	')
	210
	211	tunable_policy(`mozilla_read_content',`
	212	userdom_list_user_tmp(mozilla_t)
	213	userdom_read_user_tmp_files(mozilla_t)
	214	userdom_read_user_tmp_symlinks(mozilla_t)
	215	userdom_read_user_home_content_files(mozilla_t)
	216	userdom_read_user_home_content_symlinks(mozilla_t)
	217
	218	ifdef(`enable_mls',`',`
	219	fs_search_removable(mozilla_t)
	220	fs_read_removable_files(mozilla_t)
	221	fs_read_removable_symlinks(mozilla_t)
	222	')
	223	',`
	224	files_dontaudit_list_tmp(mozilla_t)
	225	files_dontaudit_list_home(mozilla_t)
	226	fs_dontaudit_list_removable(mozilla_t)
	227	fs_dontaudit_read_removable_files(mozilla_t)
228	userdom_dontaudit_list_user_tmp(mozilla_t)
229	userdom_dontaudit_read_user_tmp_files(mozilla_t)
230	userdom_dontaudit_list_user_home_dirs(mozilla_t)
231	userdom_dontaudit_read_user_home_content_files(mozilla_t)
232	')
233
296273a7 CP	234	optional_policy(`
	235	apache_read_user_scripts(mozilla_t)
	236	apache_read_user_content(mozilla_t)
	237	')
	238
	239	optional_policy(`
	240	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
	241	')
	242
	243	optional_policy(`
	244	cups_read_rw_config(mozilla_t)
	245	cups_dbus_chat(mozilla_t)
	246	')
	247
	248	optional_policy(`
	249	dbus_system_bus_client(mozilla_t)
	250	dbus_session_bus_client(mozilla_t)
b77daab0 CP	251
	252	optional_policy(`
	253	networkmanager_dbus_chat(mozilla_t)
	254	')
296273a7 CP	255	')
	256
	257	optional_policy(`
	258	gnome_stream_connect_gconf(mozilla_t)
06625d30	259	gnome_manage_config(mozilla_t)
3eaa9939	260	gnome_manage_gconf_home_files(mozilla_t)
296273a7 CP	261	')
	262
	263	optional_policy(`
	264	java_domtrans(mozilla_t)
	265	')
	266
	267	optional_policy(`
	268	lpd_domtrans_lpr(mozilla_t)
	269	')
	270
	271	optional_policy(`
	272	mplayer_domtrans(mozilla_t)
	273	mplayer_read_user_home_files(mozilla_t)
	274	')
	275
	276	optional_policy(`
	277	nscd_socket_use(mozilla_t)
	278	')
	279
3eaa9939 DW	280	optional_policy(`
	281	nsplugin_manage_rw(mozilla_t)
	282	nsplugin_manage_home_files(mozilla_t)
	283	')
	284
3c1e8ff6 CP	285	optional_policy(`
	286	pulseaudio_exec(mozilla_t)
	287	pulseaudio_stream_connect(mozilla_t)
	288	pulseaudio_manage_home_files(mozilla_t)
	289	')
	290
296273a7 CP	291	optional_policy(`
	292	thunderbird_domtrans(mozilla_t)
	293	')
3eaa9939 DW	294
	295	########################################
	296	#
	297	# mozilla_plugin local policy
	298	#
e12b7e14 MG	299
	300	dontaudit mozilla_plugin_t self:capability { sys_ptrace };
	301
f5b49a5e	302	allow mozilla_plugin_t self:process { setsched signal_perms execmem };
4e6b3f6d	303	allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
095debe0	304	allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
4e6b3f6d	305	allow mozilla_plugin_t self:udp_socket create_socket_perms;
803cc59a	306	allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
3eaa9939 DW	307
	308	allow mozilla_plugin_t self:sem create_sem_perms;
	309	allow mozilla_plugin_t self:shm create_shm_perms;
	310	allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
	311	allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
	312
7cfb9354	313	can_exec(mozilla_plugin_t, mozilla_home_t)
4e6b3f6d	314	read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
3eaa9939	315
ef98a374 DW	316	manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
ef98a374 DW	317	manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
095debe0 DW	318	manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
095debe0 DW	319	files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
2a9f121c	320	userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
ddd1ccaa	321	can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
ef98a374	322
f5b49a5e DW	323	manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	324	manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	325	manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	326	manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
	327	fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
	328
0b8f4cfe DW	329	can_exec(mozilla_plugin_t, mozilla_exec_t)
0b8f4cfe DW	330
3eaa9939 DW	331	kernel_read_kernel_sysctls(mozilla_plugin_t)
3eaa9939 DW	332	kernel_read_system_state(mozilla_plugin_t)
59650fa8	333	kernel_read_network_state(mozilla_plugin_t)
3eaa9939 DW	334	kernel_request_load_module(mozilla_plugin_t)
	335
	336	corecmd_exec_bin(mozilla_plugin_t)
	337	corecmd_exec_shell(mozilla_plugin_t)
	338
2ad0c1a6	339	corenet_tcp_connect_generic_port(mozilla_plugin_t)
b45aaab9 DW	340	corenet_tcp_connect_flash_port(mozilla_plugin_t)
	341	corenet_tcp_connect_streaming_port(mozilla_plugin_t)
	342	corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
	343	corenet_tcp_connect_http_port(mozilla_plugin_t)
	344	corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
	345	corenet_tcp_connect_squid_port(mozilla_plugin_t)
	346	corenet_tcp_connect_ipp_port(mozilla_plugin_t)
61beb367	347	corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
b45aaab9	348	corenet_tcp_connect_speech_port(mozilla_plugin_t)
1af3b1e8	349	corenet_tcp_connect_streaming_port(mozilla_plugin_t)
6cbe7690 MG	350	corenet_tcp_bind_generic_node(mozilla_plugin_t)
6cbe7690 MG	351	corenet_udp_bind_generic_node(mozilla_plugin_t)
b45aaab9	352
095debe0	353	dev_read_rand(mozilla_plugin_t)
3eaa9939	354	dev_read_urand(mozilla_plugin_t)
f5b49a5e	355	dev_read_video_dev(mozilla_plugin_t)
b45aaab9	356	dev_write_video_dev(mozilla_plugin_t)
f5b49a5e	357	dev_read_sysfs(mozilla_plugin_t)
0b8f4cfe DW	358	dev_read_sound(mozilla_plugin_t)
0b8f4cfe DW	359	dev_write_sound(mozilla_plugin_t)
61beb367 MG	360	# for nvidia driver
61beb367 MG	361	dev_rw_xserver_misc(mozilla_plugin_t)
4e6b3f6d	362	dev_dontaudit_rw_dri(mozilla_plugin_t)
3eaa9939 DW	363
	364	domain_use_interactive_fds(mozilla_plugin_t)
	365	domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
	366
	367	files_read_config_files(mozilla_plugin_t)
	368	files_read_usr_files(mozilla_plugin_t)
095debe0	369	files_list_mnt(mozilla_plugin_t)
3eaa9939	370
e160b2c6	371	fs_getattr_all_fs(mozilla_plugin_t)
095debe0 DW	372	fs_list_dos_dirs(mozilla_plugin_t)
095debe0 DW	373	fs_read_dos_files(mozilla_plugin_t)
ef98a374	374
751ec039 DW	375	application_dontaudit_signull(mozilla_plugin_t)
751ec039 DW	376
9ba3eded MG	377	auth_use_nsswitch(mozilla_plugin_t)
9ba3eded MG	378
6cbe7690 MG	379	logging_send_syslog_msg(mozilla_plugin_t)
6cbe7690 MG	380
3eaa9939	381	miscfiles_read_localization(mozilla_plugin_t)
f5b49a5e	382	miscfiles_read_fonts(mozilla_plugin_t)
095debe0	383	miscfiles_read_certs(mozilla_plugin_t)
d889c6bb	384	miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
3eaa9939	385
79bff2bb DW	386	sysnet_dns_name_resolve(mozilla_plugin_t)
79bff2bb DW	387
3eaa9939 DW	388	term_getattr_all_ttys(mozilla_plugin_t)
	389	term_getattr_all_ptys(mozilla_plugin_t)
	390
ef98a374	391	userdom_rw_user_tmpfs_files(mozilla_plugin_t)
5212892e	392	userdom_delete_user_tmpfs_files(mozilla_plugin_t)
f5b49a5e DW	393	userdom_stream_connect(mozilla_plugin_t)
f5b49a5e DW	394	userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
57ce3836	395	userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
ddd1ccaa	396	userdom_manage_user_tmp_sockets(mozilla_plugin_t)
461f97d7	397	userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
4e6b3f6d DW	398
4e6b3f6d DW	399	userdom_list_user_tmp(mozilla_plugin_t)
d1c6ba20	400	userdom_manage_user_tmp_dirs(mozilla_plugin_t)
4e6b3f6d DW	401	userdom_read_user_tmp_files(mozilla_plugin_t)
	402	userdom_read_user_tmp_symlinks(mozilla_plugin_t)
	403	userdom_read_user_home_content_files(mozilla_plugin_t)
5212892e	404	userdom_read_user_home_content_files(mozilla_plugin_t)
4e6b3f6d	405	userdom_read_user_home_content_symlinks(mozilla_plugin_t)
da61030d	406	userdom_read_home_certs(mozilla_plugin_t)
f06e4c22	407	userdom_dontaudit_write_home_certs(mozilla_plugin_t)
f5b49a5e	408
0b8f4cfe DW	409	optional_policy(`
0b8f4cfe DW	410	alsa_read_rw_config(mozilla_plugin_t)
b45aaab9	411	alsa_read_home_files(mozilla_plugin_t)
0b8f4cfe DW	412	')
0b8f4cfe DW	413
f5b49a5e	414	optional_policy(`
6cbe7690	415	dbus_system_bus_client(mozilla_plugin_t)
4e6b3f6d	416	dbus_session_bus_client(mozilla_plugin_t)
f5b49a5e DW	417	dbus_read_lib_files(mozilla_plugin_t)
f5b49a5e DW	418	')
6cbe7690 MG	419
	420	optional_policy(`
	421	git_dontaudit_read_session_content_files(mozilla_plugin_t)
	422	')
f5b49a5e DW	423
f5b49a5e DW	424	optional_policy(`
79bff2bb	425	gnome_manage_config(mozilla_plugin_t)
5ef740e5	426	gnome_setattr_home_config(mozilla_plugin_t)
f5b49a5e	427	')
ef98a374	428
095debe0 DW	429	optional_policy(`
	430	java_exec(mozilla_plugin_t)
	431	')
	432
67f46f2d DW	433	optional_policy(`
	434	mplayer_exec(mozilla_plugin_t)
	435	mplayer_read_user_home_files(mozilla_plugin_t)
	436	')
	437
3eaa9939 DW	438	optional_policy(`
	439	nsplugin_domtrans(mozilla_plugin_t)
	440	nsplugin_rw_exec(mozilla_plugin_t)
da073333	441	nsplugin_manage_home_dirs(mozilla_plugin_t)
f5b49a5e	442	nsplugin_manage_home_files(mozilla_plugin_t)
79bff2bb	443	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
3962a28b	444	nsplugin_user_home_filetrans(mozilla_plugin_t, file)
6ed3f15e	445	nsplugin_signal(mozilla_plugin_t)
f5b49a5e DW	446	')
	447
	448	optional_policy(`
b45aaab9 DW	449	pulseaudio_exec(mozilla_plugin_t)
b45aaab9 DW	450	pulseaudio_stream_connect(mozilla_plugin_t)
79bff2bb	451	pulseaudio_setattr_home_dir(mozilla_plugin_t)
b45aaab9	452	pulseaudio_manage_home_files(mozilla_plugin_t)
3eaa9939 DW	453	')
	454
	455	optional_policy(`
	456	xserver_read_xdm_pid(mozilla_plugin_t)
	457	xserver_stream_connect(mozilla_plugin_t)
0b8f4cfe	458	xserver_use_user_fonts(mozilla_plugin_t)
ddd1ccaa	459	xserver_read_user_iceauth(mozilla_plugin_t)
97ec2391	460	xserver_read_user_xauth(mozilla_plugin_t)
3eaa9939	461	')
36da87c2 DW	462
	463	tunable_policy(`use_nfs_home_dirs',`
	464	fs_manage_nfs_dirs(mozilla_plugin_t)
	465	fs_manage_nfs_files(mozilla_plugin_t)
	466	fs_manage_nfs_symlinks(mozilla_plugin_t)
	467	')
	468
	469	tunable_policy(`use_samba_home_dirs',`
	470	fs_manage_cifs_dirs(mozilla_plugin_t)
	471	fs_manage_cifs_files(mozilla_plugin_t)
	472	fs_manage_cifs_symlinks(mozilla_plugin_t)
	473	')