]>
Commit | Line | Data |
---|---|---|
1 | policy_module(mozilla, 2.3.3) | |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow confined web browsers to read home directory content | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(mozilla_read_content, false) | |
14 | ||
15 | type mozilla_t; | |
16 | type mozilla_exec_t; | |
17 | typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; | |
18 | typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; | |
19 | application_domain(mozilla_t, mozilla_exec_t) | |
20 | ubac_constrained(mozilla_t) | |
21 | ||
22 | type mozilla_conf_t; | |
23 | files_config_file(mozilla_conf_t) | |
24 | ||
25 | type mozilla_home_t; | |
26 | typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t }; | |
27 | typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; | |
28 | files_poly_member(mozilla_home_t) | |
29 | userdom_user_home_content(mozilla_home_t) | |
30 | ||
31 | type mozilla_plugin_t; | |
32 | type mozilla_plugin_exec_t; | |
33 | application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) | |
34 | role system_r types mozilla_plugin_t; | |
35 | ||
36 | type mozilla_plugin_tmp_t; | |
37 | userdom_user_tmp_content(mozilla_plugin_tmp_t) | |
38 | files_tmp_file(mozilla_plugin_tmp_t) | |
39 | ubac_constrained(mozilla_plugin_tmp_t) | |
40 | ||
41 | type mozilla_plugin_tmpfs_t; | |
42 | userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) | |
43 | files_tmpfs_file(mozilla_plugin_tmpfs_t) | |
44 | ubac_constrained(mozilla_plugin_tmpfs_t) | |
45 | ||
46 | type mozilla_plugin_rw_t alias nsplugin_rw_t; | |
47 | files_type(mozilla_plugin_rw_t) | |
48 | ||
49 | type mozilla_plugin_config_t; | |
50 | type mozilla_plugin_config_exec_t; | |
51 | application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) | |
52 | ||
53 | type mozilla_tmp_t; | |
54 | files_tmp_file(mozilla_tmp_t) | |
55 | ubac_constrained(mozilla_tmp_t) | |
56 | ||
57 | type mozilla_tmpfs_t; | |
58 | typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; | |
59 | typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; | |
60 | files_tmpfs_file(mozilla_tmpfs_t) | |
61 | ubac_constrained(mozilla_tmpfs_t) | |
62 | ||
63 | ######################################## | |
64 | # | |
65 | # Local policy | |
66 | # | |
67 | ||
68 | allow mozilla_t self:capability { sys_nice setgid setuid }; | |
69 | allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; | |
70 | allow mozilla_t self:fifo_file rw_fifo_file_perms; | |
71 | allow mozilla_t self:shm { unix_read unix_write read write destroy create }; | |
72 | allow mozilla_t self:sem create_sem_perms; | |
73 | allow mozilla_t self:socket create_socket_perms; | |
74 | allow mozilla_t self:unix_stream_socket { listen accept }; | |
75 | # Browse the web, connect to printer | |
76 | allow mozilla_t self:tcp_socket create_socket_perms; | |
77 | allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; | |
78 | ||
79 | # for bash - old mozilla binary | |
80 | can_exec(mozilla_t, mozilla_exec_t) | |
81 | ||
82 | # X access, Home files | |
83 | manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) | |
84 | manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) | |
85 | manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) | |
86 | userdom_search_user_home_dirs(mozilla_t) | |
87 | userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) | |
88 | ||
89 | # Mozpluggerrc | |
90 | allow mozilla_t mozilla_conf_t:file read_file_perms; | |
91 | ||
92 | manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) | |
93 | manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) | |
94 | files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) | |
95 | ||
96 | manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) | |
97 | manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) | |
98 | manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) | |
99 | manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) | |
100 | fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) | |
101 | ||
102 | kernel_read_kernel_sysctls(mozilla_t) | |
103 | kernel_read_network_state(mozilla_t) | |
104 | # Access /proc, sysctl | |
105 | kernel_read_system_state(mozilla_t) | |
106 | kernel_read_net_sysctls(mozilla_t) | |
107 | ||
108 | # Look for plugins | |
109 | corecmd_list_bin(mozilla_t) | |
110 | # for bash - old mozilla binary | |
111 | corecmd_exec_shell(mozilla_t) | |
112 | corecmd_exec_bin(mozilla_t) | |
113 | ||
114 | # Browse the web, connect to printer | |
115 | corenet_all_recvfrom_unlabeled(mozilla_t) | |
116 | corenet_all_recvfrom_netlabel(mozilla_t) | |
117 | corenet_tcp_sendrecv_generic_if(mozilla_t) | |
118 | corenet_raw_sendrecv_generic_if(mozilla_t) | |
119 | corenet_tcp_sendrecv_generic_node(mozilla_t) | |
120 | corenet_raw_sendrecv_generic_node(mozilla_t) | |
121 | corenet_tcp_sendrecv_http_port(mozilla_t) | |
122 | corenet_tcp_sendrecv_http_cache_port(mozilla_t) | |
123 | corenet_tcp_sendrecv_squid_port(mozilla_t) | |
124 | corenet_tcp_connect_flash_port(mozilla_t) | |
125 | corenet_tcp_sendrecv_ftp_port(mozilla_t) | |
126 | corenet_tcp_connect_all_ephemeral_ports(mozilla_t) | |
127 | corenet_tcp_sendrecv_ipp_port(mozilla_t) | |
128 | corenet_tcp_connect_http_port(mozilla_t) | |
129 | corenet_tcp_connect_http_cache_port(mozilla_t) | |
130 | corenet_tcp_connect_squid_port(mozilla_t) | |
131 | corenet_tcp_connect_ftp_port(mozilla_t) | |
132 | corenet_tcp_connect_ipp_port(mozilla_t) | |
133 | corenet_tcp_connect_generic_port(mozilla_t) | |
134 | corenet_tcp_connect_soundd_port(mozilla_t) | |
135 | corenet_sendrecv_http_client_packets(mozilla_t) | |
136 | corenet_sendrecv_http_cache_client_packets(mozilla_t) | |
137 | corenet_sendrecv_squid_client_packets(mozilla_t) | |
138 | corenet_sendrecv_ftp_client_packets(mozilla_t) | |
139 | corenet_sendrecv_ipp_client_packets(mozilla_t) | |
140 | corenet_sendrecv_generic_client_packets(mozilla_t) | |
141 | # Should not need other ports | |
142 | corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) | |
143 | corenet_dontaudit_tcp_bind_generic_port(mozilla_t) | |
144 | corenet_tcp_connect_speech_port(mozilla_t) | |
145 | ||
146 | dev_read_urand(mozilla_t) | |
147 | dev_read_rand(mozilla_t) | |
148 | dev_write_sound(mozilla_t) | |
149 | dev_read_sound(mozilla_t) | |
150 | dev_dontaudit_rw_dri(mozilla_t) | |
151 | dev_getattr_sysfs_dirs(mozilla_t) | |
152 | ||
153 | domain_dontaudit_read_all_domains_state(mozilla_t) | |
154 | ||
155 | files_read_etc_runtime_files(mozilla_t) | |
156 | files_read_usr_files(mozilla_t) | |
157 | files_read_etc_files(mozilla_t) | |
158 | # /var/lib | |
159 | files_read_var_lib_files(mozilla_t) | |
160 | # interacting with gstreamer | |
161 | files_read_var_files(mozilla_t) | |
162 | files_read_var_symlinks(mozilla_t) | |
163 | files_dontaudit_getattr_boot_dirs(mozilla_t) | |
164 | ||
165 | fs_search_auto_mountpoints(mozilla_t) | |
166 | fs_list_inotifyfs(mozilla_t) | |
167 | fs_rw_tmpfs_files(mozilla_t) | |
168 | ||
169 | term_dontaudit_getattr_pty_dirs(mozilla_t) | |
170 | ||
171 | auth_use_nsswitch(mozilla_t) | |
172 | ||
173 | logging_send_syslog_msg(mozilla_t) | |
174 | ||
175 | miscfiles_read_fonts(mozilla_t) | |
176 | miscfiles_read_localization(mozilla_t) | |
177 | miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) | |
178 | ||
179 | # Browse the web, connect to printer | |
180 | sysnet_dns_name_resolve(mozilla_t) | |
181 | ||
182 | userdom_use_inherited_user_ptys(mozilla_t) | |
183 | ||
184 | xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) | |
185 | xserver_dontaudit_read_xdm_tmp_files(mozilla_t) | |
186 | xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) | |
187 | ||
188 | tunable_policy(`allow_execstack',` | |
189 | allow mozilla_t self:process execstack; | |
190 | ') | |
191 | ||
192 | tunable_policy(`deny_execmem',`',` | |
193 | allow mozilla_t self:process execmem; | |
194 | ') | |
195 | ||
196 | userdom_home_manager(mozilla_t) | |
197 | ||
198 | # Uploads, local html | |
199 | tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` | |
200 | fs_list_auto_mountpoints(mozilla_t) | |
201 | files_list_home(mozilla_t) | |
202 | fs_read_nfs_files(mozilla_t) | |
203 | fs_read_nfs_symlinks(mozilla_t) | |
204 | ||
205 | ',` | |
206 | files_dontaudit_list_home(mozilla_t) | |
207 | fs_dontaudit_list_auto_mountpoints(mozilla_t) | |
208 | fs_dontaudit_read_nfs_files(mozilla_t) | |
209 | fs_dontaudit_list_nfs(mozilla_t) | |
210 | ') | |
211 | ||
212 | tunable_policy(`mozilla_read_content && use_samba_home_dirs',` | |
213 | fs_list_auto_mountpoints(mozilla_t) | |
214 | files_list_home(mozilla_t) | |
215 | fs_read_cifs_files(mozilla_t) | |
216 | fs_read_cifs_symlinks(mozilla_t) | |
217 | ',` | |
218 | files_dontaudit_list_home(mozilla_t) | |
219 | fs_dontaudit_list_auto_mountpoints(mozilla_t) | |
220 | fs_dontaudit_read_cifs_files(mozilla_t) | |
221 | fs_dontaudit_list_cifs(mozilla_t) | |
222 | ') | |
223 | ||
224 | tunable_policy(`mozilla_read_content',` | |
225 | userdom_list_user_tmp(mozilla_t) | |
226 | userdom_read_user_tmp_files(mozilla_t) | |
227 | userdom_read_user_tmp_symlinks(mozilla_t) | |
228 | userdom_read_user_home_content_files(mozilla_t) | |
229 | userdom_read_user_home_content_symlinks(mozilla_t) | |
230 | ||
231 | ifndef(`enable_mls',` | |
232 | fs_search_removable(mozilla_t) | |
233 | fs_read_removable_files(mozilla_t) | |
234 | fs_read_removable_symlinks(mozilla_t) | |
235 | ') | |
236 | ',` | |
237 | files_dontaudit_list_tmp(mozilla_t) | |
238 | files_dontaudit_list_home(mozilla_t) | |
239 | fs_dontaudit_list_removable(mozilla_t) | |
240 | fs_dontaudit_read_removable_files(mozilla_t) | |
241 | userdom_dontaudit_list_user_tmp(mozilla_t) | |
242 | userdom_dontaudit_read_user_tmp_files(mozilla_t) | |
243 | userdom_dontaudit_list_user_home_dirs(mozilla_t) | |
244 | userdom_dontaudit_read_user_home_content_files(mozilla_t) | |
245 | ') | |
246 | ||
247 | optional_policy(` | |
248 | apache_read_user_scripts(mozilla_t) | |
249 | apache_read_user_content(mozilla_t) | |
250 | ') | |
251 | ||
252 | optional_policy(` | |
253 | automount_dontaudit_getattr_tmp_dirs(mozilla_t) | |
254 | ') | |
255 | ||
256 | optional_policy(` | |
257 | cups_read_rw_config(mozilla_t) | |
258 | cups_dbus_chat(mozilla_t) | |
259 | ') | |
260 | ||
261 | optional_policy(` | |
262 | dbus_system_bus_client(mozilla_t) | |
263 | dbus_session_bus_client(mozilla_t) | |
264 | ||
265 | optional_policy(` | |
266 | networkmanager_dbus_chat(mozilla_t) | |
267 | ') | |
268 | ') | |
269 | ||
270 | optional_policy(` | |
271 | gnome_stream_connect_gconf(mozilla_t) | |
272 | gnome_manage_config(mozilla_t) | |
273 | gnome_manage_gconf_home_files(mozilla_t) | |
274 | ') | |
275 | ||
276 | optional_policy(` | |
277 | java_domtrans(mozilla_t) | |
278 | ') | |
279 | ||
280 | optional_policy(` | |
281 | lpd_domtrans_lpr(mozilla_t) | |
282 | ') | |
283 | ||
284 | optional_policy(` | |
285 | mplayer_domtrans(mozilla_t) | |
286 | mplayer_read_user_home_files(mozilla_t) | |
287 | ') | |
288 | ||
289 | optional_policy(` | |
290 | pulseaudio_exec(mozilla_t) | |
291 | pulseaudio_stream_connect(mozilla_t) | |
292 | pulseaudio_manage_home_files(mozilla_t) | |
293 | ') | |
294 | ||
295 | optional_policy(` | |
296 | thunderbird_domtrans(mozilla_t) | |
297 | ') | |
298 | ||
299 | ######################################## | |
300 | # | |
301 | # mozilla_plugin local policy | |
302 | # | |
303 | ||
304 | dontaudit mozilla_plugin_t self:capability sys_nice; | |
305 | ||
306 | allow mozilla_plugin_t self:process { setsched signal_perms execmem }; | |
307 | allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; | |
308 | allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; | |
309 | allow mozilla_plugin_t self:udp_socket create_socket_perms; | |
310 | allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; | |
311 | ||
312 | allow mozilla_plugin_t self:sem create_sem_perms; | |
313 | allow mozilla_plugin_t self:shm create_shm_perms; | |
314 | allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; | |
315 | allow mozilla_plugin_t self:unix_dgram_socket sendto; | |
316 | allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
317 | ||
318 | can_exec(mozilla_plugin_t, mozilla_home_t) | |
319 | manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
320 | manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
321 | manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
322 | ||
323 | manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) | |
324 | manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) | |
325 | manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) | |
326 | manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) | |
327 | files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) | |
328 | userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) | |
329 | can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) | |
330 | ||
331 | manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) | |
332 | manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) | |
333 | manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) | |
334 | manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) | |
335 | fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) | |
336 | ||
337 | allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; | |
338 | read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) | |
339 | read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) | |
340 | ||
341 | can_exec(mozilla_plugin_t, mozilla_exec_t) | |
342 | ||
343 | kernel_read_kernel_sysctls(mozilla_plugin_t) | |
344 | kernel_read_system_state(mozilla_plugin_t) | |
345 | kernel_read_network_state(mozilla_plugin_t) | |
346 | kernel_request_load_module(mozilla_plugin_t) | |
347 | ||
348 | corecmd_exec_bin(mozilla_plugin_t) | |
349 | corecmd_exec_shell(mozilla_plugin_t) | |
350 | ||
351 | corenet_tcp_connect_generic_port(mozilla_plugin_t) | |
352 | corenet_tcp_connect_flash_port(mozilla_plugin_t) | |
353 | corenet_tcp_connect_streaming_port(mozilla_plugin_t) | |
354 | corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) | |
355 | corenet_tcp_connect_http_port(mozilla_plugin_t) | |
356 | corenet_tcp_connect_http_cache_port(mozilla_plugin_t) | |
357 | corenet_tcp_connect_squid_port(mozilla_plugin_t) | |
358 | corenet_tcp_connect_ipp_port(mozilla_plugin_t) | |
359 | corenet_tcp_connect_mmcc_port(mozilla_plugin_t) | |
360 | corenet_tcp_connect_speech_port(mozilla_plugin_t) | |
361 | corenet_tcp_connect_streaming_port(mozilla_plugin_t) | |
362 | corenet_tcp_connect_ftp_port(mozilla_plugin_t) | |
363 | corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) | |
364 | corenet_tcp_bind_generic_node(mozilla_plugin_t) | |
365 | corenet_udp_bind_generic_node(mozilla_plugin_t) | |
366 | ||
367 | dev_read_rand(mozilla_plugin_t) | |
368 | dev_read_urand(mozilla_plugin_t) | |
369 | dev_read_video_dev(mozilla_plugin_t) | |
370 | dev_write_video_dev(mozilla_plugin_t) | |
371 | dev_read_sysfs(mozilla_plugin_t) | |
372 | dev_read_sound(mozilla_plugin_t) | |
373 | dev_write_sound(mozilla_plugin_t) | |
374 | # for nvidia driver | |
375 | dev_rw_xserver_misc(mozilla_plugin_t) | |
376 | dev_dontaudit_rw_dri(mozilla_plugin_t) | |
377 | ||
378 | domain_use_interactive_fds(mozilla_plugin_t) | |
379 | domain_dontaudit_read_all_domains_state(mozilla_plugin_t) | |
380 | ||
381 | files_read_config_files(mozilla_plugin_t) | |
382 | files_read_usr_files(mozilla_plugin_t) | |
383 | files_list_mnt(mozilla_plugin_t) | |
384 | ||
385 | fs_getattr_all_fs(mozilla_plugin_t) | |
386 | fs_list_dos(mozilla_plugin_t) | |
387 | fs_read_dos_files(mozilla_plugin_t) | |
388 | ||
389 | application_dontaudit_signull(mozilla_plugin_t) | |
390 | ||
391 | auth_use_nsswitch(mozilla_plugin_t) | |
392 | ||
393 | logging_send_syslog_msg(mozilla_plugin_t) | |
394 | ||
395 | miscfiles_read_localization(mozilla_plugin_t) | |
396 | miscfiles_read_fonts(mozilla_plugin_t) | |
397 | miscfiles_read_generic_certs(mozilla_plugin_t) | |
398 | miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) | |
399 | miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) | |
400 | ||
401 | sysnet_dns_name_resolve(mozilla_plugin_t) | |
402 | ||
403 | term_getattr_all_ttys(mozilla_plugin_t) | |
404 | term_getattr_all_ptys(mozilla_plugin_t) | |
405 | ||
406 | userdom_rw_user_tmpfs_files(mozilla_plugin_t) | |
407 | userdom_delete_user_tmpfs_files(mozilla_plugin_t) | |
408 | userdom_dontaudit_use_user_terminals(mozilla_plugin_t) | |
409 | userdom_manage_user_tmp_sockets(mozilla_plugin_t) | |
410 | userdom_manage_user_tmp_dirs(mozilla_plugin_t) | |
411 | userdom_read_user_tmp_files(mozilla_plugin_t) | |
412 | userdom_read_user_tmp_symlinks(mozilla_plugin_t) | |
413 | userdom_stream_connect(mozilla_plugin_t) | |
414 | userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) | |
415 | ||
416 | userdom_read_user_home_content_files(mozilla_plugin_t) | |
417 | userdom_read_user_home_content_symlinks(mozilla_plugin_t) | |
418 | userdom_read_home_certs(mozilla_plugin_t) | |
419 | userdom_dontaudit_write_home_certs(mozilla_plugin_t) | |
420 | userdom_read_home_audio_files(mozilla_plugin_t) | |
421 | ||
422 | tunable_policy(`deny_execmem',`', ` | |
423 | allow mozilla_plugin_t self:process execmem; | |
424 | ') | |
425 | ||
426 | tunable_policy(`allow_execstack',` | |
427 | allow mozilla_plugin_t self:process execstack; | |
428 | ') | |
429 | ||
430 | userdom_home_manager(mozilla_plugin_t) | |
431 | ||
432 | optional_policy(` | |
433 | alsa_read_rw_config(mozilla_plugin_t) | |
434 | alsa_read_home_files(mozilla_plugin_t) | |
435 | ') | |
436 | ||
437 | optional_policy(` | |
438 | dbus_system_bus_client(mozilla_plugin_t) | |
439 | dbus_session_bus_client(mozilla_plugin_t) | |
440 | dbus_read_lib_files(mozilla_plugin_t) | |
441 | ') | |
442 | ||
443 | optional_policy(` | |
444 | git_dontaudit_read_session_content_files(mozilla_plugin_t) | |
445 | ') | |
446 | ||
447 | ||
448 | optional_policy(` | |
449 | gnome_manage_config(mozilla_plugin_t) | |
450 | gnome_read_usr_config(mozilla_plugin_t) | |
451 | ') | |
452 | ||
453 | optional_policy(` | |
454 | java_exec(mozilla_plugin_t) | |
455 | ') | |
456 | ||
457 | optional_policy(` | |
458 | mplayer_exec(mozilla_plugin_t) | |
459 | mplayer_read_user_home_files(mozilla_plugin_t) | |
460 | ') | |
461 | ||
462 | optional_policy(` | |
463 | pulseaudio_exec(mozilla_plugin_t) | |
464 | pulseaudio_stream_connect(mozilla_plugin_t) | |
465 | pulseaudio_setattr_home_dir(mozilla_plugin_t) | |
466 | pulseaudio_manage_home_files(mozilla_plugin_t) | |
467 | pulseaudio_manage_home_symlinks(mozilla_plugin_t) | |
468 | ') | |
469 | ||
470 | optional_policy(` | |
471 | pcscd_stream_connect(mozilla_plugin_t) | |
472 | ') | |
473 | ||
474 | optional_policy(` | |
475 | rtkit_scheduled(mozilla_plugin_t) | |
476 | ') | |
477 | ||
478 | optional_policy(` | |
479 | udev_read_db(mozilla_plugin_t) | |
480 | ') | |
481 | ||
482 | optional_policy(` | |
483 | xserver_read_xdm_pid(mozilla_plugin_t) | |
484 | xserver_stream_connect(mozilla_plugin_t) | |
485 | xserver_use_user_fonts(mozilla_plugin_t) | |
486 | xserver_read_user_iceauth(mozilla_plugin_t) | |
487 | xserver_read_user_xauth(mozilla_plugin_t) | |
488 | xserver_append_xdm_home_files(mozilla_plugin_t); | |
489 | ') | |
490 | ||
491 | ######################################## | |
492 | # | |
493 | # mozilla_plugin_config local policy | |
494 | # | |
495 | ||
496 | allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; | |
497 | allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem }; | |
498 | ||
499 | allow mozilla_plugin_config_t self:fifo_file rw_file_perms; | |
500 | allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; | |
501 | ||
502 | dev_search_sysfs(mozilla_plugin_config_t) | |
503 | dev_read_urand(mozilla_plugin_config_t) | |
504 | dev_dontaudit_read_rand(mozilla_plugin_config_t) | |
505 | dev_dontaudit_rw_dri(mozilla_plugin_config_t) | |
506 | ||
507 | fs_search_auto_mountpoints(mozilla_plugin_config_t) | |
508 | fs_list_inotifyfs(mozilla_plugin_config_t) | |
509 | ||
510 | can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) | |
511 | manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) | |
512 | manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) | |
513 | manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) | |
514 | ||
515 | manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
516 | manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
517 | manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) | |
518 | ||
519 | corecmd_exec_bin(mozilla_plugin_config_t) | |
520 | corecmd_exec_shell(mozilla_plugin_config_t) | |
521 | ||
522 | kernel_read_system_state(mozilla_plugin_config_t) | |
523 | kernel_request_load_module(mozilla_plugin_config_t) | |
524 | ||
525 | domain_use_interactive_fds(mozilla_plugin_config_t) | |
526 | ||
527 | files_read_etc_files(mozilla_plugin_config_t) | |
528 | files_read_usr_files(mozilla_plugin_config_t) | |
529 | files_dontaudit_search_home(mozilla_plugin_config_t) | |
530 | files_list_tmp(mozilla_plugin_config_t) | |
531 | ||
532 | auth_use_nsswitch(mozilla_plugin_config_t) | |
533 | ||
534 | miscfiles_read_localization(mozilla_plugin_config_t) | |
535 | miscfiles_read_fonts(mozilla_plugin_config_t) | |
536 | ||
537 | userdom_search_user_home_content(mozilla_plugin_config_t) | |
538 | userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) | |
539 | userdom_read_user_home_content_files(mozilla_plugin_config_t) | |
540 | userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) | |
541 | userdom_use_inherited_user_ptys(mozilla_plugin_config_t) | |
542 | ||
543 | domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) | |
544 | ||
545 | optional_policy(` | |
546 | xserver_use_user_fonts(mozilla_plugin_config_t) | |
547 | ') |