1 ## <summary>Policy for Mozilla and related web browsers</summary>
3 ########################################
5 ## Role access for mozilla
12 ## <param name="domain">
14 ## User domain for the role
18 interface(`mozilla_role',`
20 type mozilla_t, mozilla_exec_t, mozilla_home_t;
23 role $1 types mozilla_t;
25 domain_auto_trans($2, mozilla_exec_t, mozilla_t)
26 # Unrestricted inheritance from the caller.
27 allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
28 allow mozilla_t $2:fd use;
29 allow mozilla_t $2:process { sigchld signull };
30 allow mozilla_t $2:unix_stream_socket connectto;
32 # Allow the user domain to signal/ps.
33 ps_process_pattern($2, mozilla_t)
34 allow $2 mozilla_t:process signal_perms;
36 allow $2 mozilla_t:fd use;
37 allow $2 mozilla_t:shm { associate getattr };
38 allow $2 mozilla_t:shm { unix_read unix_write };
39 allow $2 mozilla_t:unix_stream_socket connectto;
41 # X access, Home files
42 manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
43 manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
44 manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
45 relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
46 relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
47 relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
52 pulseaudio_role($1, mozilla_t)
56 ########################################
58 ## Read mozilla home directory content
60 ## <param name="domain">
62 ## Domain allowed access.
66 interface(`mozilla_read_user_home_files',`
71 allow $1 mozilla_home_t:dir list_dir_perms;
72 allow $1 mozilla_home_t:file read_file_perms;
73 allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
74 userdom_search_user_home_dirs($1)
77 ########################################
79 ## Write mozilla home directory content
81 ## <param name="domain">
83 ## Domain allowed access.
87 interface(`mozilla_write_user_home_files',`
92 write_files_pattern($1, mozilla_home_t, mozilla_home_t)
93 userdom_search_user_home_dirs($1)
96 ########################################
98 ## Dontaudit attempts to read/write mozilla home directory content
100 ## <param name="domain">
102 ## Domain to not audit.
106 interface(`mozilla_dontaudit_rw_user_home_files',`
111 dontaudit $1 mozilla_home_t:file rw_file_perms;
114 ########################################
116 ## Dontaudit attempts to write mozilla home directory content
118 ## <param name="domain">
120 ## Domain to not audit.
124 interface(`mozilla_dontaudit_manage_user_home_files',`
129 dontaudit $1 mozilla_home_t:dir manage_dir_perms;
130 dontaudit $1 mozilla_home_t:file manage_file_perms;
133 ########################################
135 ## Execmod mozilla home directory content.
137 ## <param name="domain">
139 ## Domain allowed access.
143 interface(`mozilla_execmod_user_home_files',`
148 allow $1 mozilla_home_t:file execmod;
151 ########################################
153 ## Run mozilla in the mozilla domain.
155 ## <param name="domain">
157 ## Domain allowed to transition.
161 interface(`mozilla_domtrans',`
163 type mozilla_t, mozilla_exec_t;
166 domtrans_pattern($1, mozilla_exec_t, mozilla_t)
169 ########################################
171 ## Send and receive messages from
172 ## mozilla over dbus.
174 ## <param name="domain">
176 ## Domain allowed access.
180 interface(`mozilla_dbus_chat',`
186 allow $1 mozilla_t:dbus send_msg;
187 allow mozilla_t $1:dbus send_msg;
190 ########################################
192 ## read/write mozilla per user tcp_socket
194 ## <param name="domain">
196 ## Domain allowed access.
200 interface(`mozilla_rw_tcp_sockets',`
205 allow $1 mozilla_t:tcp_socket rw_socket_perms;