]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/apps/mozilla.if
projects / people / stevee / selinux-policy.git / blob
? search:


9a6d67dc8ab77805834cbb88443b562a0dcc14ad
[people/stevee/selinux-policy.git] / policy / modules / apps / mozilla.if
1 ## <summary>Policy for Mozilla and related web browsers</summary>
2
3 ########################################
4 ## <summary>
5 ## Role access for mozilla
6 ## </summary>
7 ## <param name="role">
8 ## <summary>
9 ## Role allowed access
10 ## </summary>
11 ## </param>
12 ## <param name="domain">
13 ## <summary>
14 ## User domain for the role
15 ## </summary>
16 ## </param>
17 #
18 interface(`mozilla_role',`
19 gen_require(`
20 type mozilla_t, mozilla_exec_t, mozilla_home_t;
21 ')
22
23 role $1 types mozilla_t;
24
25 domain_auto_trans($2, mozilla_exec_t, mozilla_t)
26 # Unrestricted inheritance from the caller.
27 allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
28 allow mozilla_t $2:fd use;
29 allow mozilla_t $2:process { sigchld signull };
30 allow mozilla_t $2:unix_stream_socket connectto;
31
32 # Allow the user domain to signal/ps.
33 ps_process_pattern($2, mozilla_t)
34 allow $2 mozilla_t:process signal_perms;
35
36 allow $2 mozilla_t:fd use;
37 allow $2 mozilla_t:shm { associate getattr };
38 allow $2 mozilla_t:shm { unix_read unix_write };
39 allow $2 mozilla_t:unix_stream_socket connectto;
40
41 # X access, Home files
42 manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
43 manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
44 manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
45 relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
46 relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
47 relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
48
49 mozilla_dbus_chat($2)
50
51 optional_policy(`
52 pulseaudio_role($1, mozilla_t)
53 ')
54 ')
55
56 ########################################
57 ## <summary>
58 ## Read mozilla home directory content
59 ## </summary>
60 ## <param name="domain">
61 ## <summary>
62 ## Domain allowed access.
63 ## </summary>
64 ## </param>
65 #
66 interface(`mozilla_read_user_home_files',`
67 gen_require(`
68 type mozilla_home_t;
69 ')
70
71 allow $1 mozilla_home_t:dir list_dir_perms;
72 allow $1 mozilla_home_t:file read_file_perms;
73 allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
74 userdom_search_user_home_dirs($1)
75 ')
76
77 ########################################
78 ## <summary>
79 ## Write mozilla home directory content
80 ## </summary>
81 ## <param name="domain">
82 ## <summary>
83 ## Domain allowed access.
84 ## </summary>
85 ## </param>
86 #
87 interface(`mozilla_write_user_home_files',`
88 gen_require(`
89 type mozilla_home_t;
90 ')
91
92 write_files_pattern($1, mozilla_home_t, mozilla_home_t)
93 userdom_search_user_home_dirs($1)
94 ')
95
96 ########################################
97 ## <summary>
98 ## Dontaudit attempts to read/write mozilla home directory content
99 ## </summary>
100 ## <param name="domain">
101 ## <summary>
102 ## Domain to not audit.
103 ## </summary>
104 ## </param>
105 #
106 interface(`mozilla_dontaudit_rw_user_home_files',`
107 gen_require(`
108 type mozilla_home_t;
109 ')
110
111 dontaudit $1 mozilla_home_t:file rw_file_perms;
112 ')
113
114 ########################################
115 ## <summary>
116 ## Dontaudit attempts to write mozilla home directory content
117 ## </summary>
118 ## <param name="domain">
119 ## <summary>
120 ## Domain to not audit.
121 ## </summary>
122 ## </param>
123 #
124 interface(`mozilla_dontaudit_manage_user_home_files',`
125 gen_require(`
126 type mozilla_home_t;
127 ')
128
129 dontaudit $1 mozilla_home_t:dir manage_dir_perms;
130 dontaudit $1 mozilla_home_t:file manage_file_perms;
131 ')
132
133 ########################################
134 ## <summary>
135 ## Execmod mozilla home directory content.
136 ## </summary>
137 ## <param name="domain">
138 ## <summary>
139 ## Domain allowed access.
140 ## </summary>
141 ## </param>
142 #
143 interface(`mozilla_execmod_user_home_files',`
144 gen_require(`
145 type mozilla_home_t;
146 ')
147
148 allow $1 mozilla_home_t:file execmod;
149 ')
150
151 ########################################
152 ## <summary>
153 ## Run mozilla in the mozilla domain.
154 ## </summary>
155 ## <param name="domain">
156 ## <summary>
157 ## Domain allowed to transition.
158 ## </summary>
159 ## </param>
160 #
161 interface(`mozilla_domtrans',`
162 gen_require(`
163 type mozilla_t, mozilla_exec_t;
164 ')
165
166 domtrans_pattern($1, mozilla_exec_t, mozilla_t)
167 ')
168
169 ########################################
170 ## <summary>
171 ## Send and receive messages from
172 ## mozilla over dbus.
173 ## </summary>
174 ## <param name="domain">
175 ## <summary>
176 ## Domain allowed access.
177 ## </summary>
178 ## </param>
179 #
180 interface(`mozilla_dbus_chat',`
181 gen_require(`
182 type mozilla_t;
183 class dbus send_msg;
184 ')
185
186 allow $1 mozilla_t:dbus send_msg;
187 allow mozilla_t $1:dbus send_msg;
188 ')
189
190 ########################################
191 ## <summary>
192 ## read/write mozilla per user tcp_socket
193 ## </summary>
194 ## <param name="domain">
195 ## <summary>
196 ## Domain allowed access.
197 ## </summary>
198 ## </param>
199 #
200 interface(`mozilla_rw_tcp_sockets',`
201 gen_require(`
202 type mozilla_t;
203 ')
204
205 allow $1 mozilla_t:tcp_socket rw_socket_perms;
206 ')
The IPFire selinux policy.