]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/mozilla.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
separate out the nsplugin typealiases in mozilla.te
[people/stevee/selinux-policy.git] / policy / modules / apps / mozilla.te
CommitLineData
00528898 1policy_module(mozilla, 2.3.3)
9105f90b 2
00528898
MG		 3########################################
4#
5# Declarations
6#
7
8## <desc>
9## <p>
10## Allow confined web browsers to read home directory content
11## </p>
12## </desc>
13gen_tunable(mozilla_read_content, false)
14
15type mozilla_t;
16type mozilla_exec_t;
17typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
18typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
19application_domain(mozilla_t, mozilla_exec_t)
20ubac_constrained(mozilla_t)
21
22type mozilla_conf_t;
23files_config_file(mozilla_conf_t)
24
25type mozilla_home_t;
0fbec907 26typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
00528898
MG		 27typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
28files_poly_member(mozilla_home_t)
29userdom_user_home_content(mozilla_home_t)
30
31type mozilla_plugin_t;
32type mozilla_plugin_exec_t;
33application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
34role system_r types mozilla_plugin_t;
35
36type mozilla_plugin_tmp_t;
37userdom_user_tmp_content(mozilla_plugin_tmp_t)
38files_tmp_file(mozilla_plugin_tmp_t)
39ubac_constrained(mozilla_plugin_tmp_t)
40
41type mozilla_plugin_tmpfs_t;
42userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
43files_tmpfs_file(mozilla_plugin_tmpfs_t)
44ubac_constrained(mozilla_plugin_tmpfs_t)
45
0fbec907 46type mozilla_plugin_rw_t;
1a725aa0
DW		 47files_type(mozilla_plugin_rw_t)
48
49type mozilla_plugin_config_t;
50type mozilla_plugin_config_exec_t;
51application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
52
00528898
MG		 53type mozilla_tmp_t;
54files_tmp_file(mozilla_tmp_t)
55ubac_constrained(mozilla_tmp_t)
56
57type mozilla_tmpfs_t;
58typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
59typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
60files_tmpfs_file(mozilla_tmpfs_t)
61ubac_constrained(mozilla_tmpfs_t)
62
63########################################
64#
65# Local policy
66#
67
68allow mozilla_t self:capability { sys_nice setgid setuid };
69allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
70allow mozilla_t self:fifo_file rw_fifo_file_perms;
71allow mozilla_t self:shm { unix_read unix_write read write destroy create };
72allow mozilla_t self:sem create_sem_perms;
73allow mozilla_t self:socket create_socket_perms;
74allow mozilla_t self:unix_stream_socket { listen accept };
75# Browse the web, connect to printer
76allow mozilla_t self:tcp_socket create_socket_perms;
77allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
78
79# for bash - old mozilla binary
80can_exec(mozilla_t, mozilla_exec_t)
81
82# X access, Home files
83manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
84manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
85manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
86userdom_search_user_home_dirs(mozilla_t)
87userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
88
89# Mozpluggerrc
90allow mozilla_t mozilla_conf_t:file read_file_perms;
91
92manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
93manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
94files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
95
96manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
97manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
98manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
99manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
100fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
101
102kernel_read_kernel_sysctls(mozilla_t)
103kernel_read_network_state(mozilla_t)
104# Access /proc, sysctl
105kernel_read_system_state(mozilla_t)
106kernel_read_net_sysctls(mozilla_t)
107
108# Look for plugins
109corecmd_list_bin(mozilla_t)
110# for bash - old mozilla binary
111corecmd_exec_shell(mozilla_t)
112corecmd_exec_bin(mozilla_t)
113
114# Browse the web, connect to printer
296273a7
CP		 115corenet_all_recvfrom_unlabeled(mozilla_t)
116corenet_all_recvfrom_netlabel(mozilla_t)
117corenet_tcp_sendrecv_generic_if(mozilla_t)
118corenet_raw_sendrecv_generic_if(mozilla_t)
c1262146
CP		 119corenet_tcp_sendrecv_generic_node(mozilla_t)
120corenet_raw_sendrecv_generic_node(mozilla_t)
296273a7
CP		 121corenet_tcp_sendrecv_http_port(mozilla_t)
122corenet_tcp_sendrecv_http_cache_port(mozilla_t)
3eaa9939
DW		 123corenet_tcp_sendrecv_squid_port(mozilla_t)
124corenet_tcp_connect_flash_port(mozilla_t)
296273a7 125corenet_tcp_sendrecv_ftp_port(mozilla_t)
e6b51a26 126corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
296273a7
CP		 127corenet_tcp_sendrecv_ipp_port(mozilla_t)
128corenet_tcp_connect_http_port(mozilla_t)
129corenet_tcp_connect_http_cache_port(mozilla_t)
3eaa9939 130corenet_tcp_connect_squid_port(mozilla_t)
296273a7
CP		 131corenet_tcp_connect_ftp_port(mozilla_t)
132corenet_tcp_connect_ipp_port(mozilla_t)
133corenet_tcp_connect_generic_port(mozilla_t)
b77daab0 134corenet_tcp_connect_soundd_port(mozilla_t)
296273a7
CP		 135corenet_sendrecv_http_client_packets(mozilla_t)
136corenet_sendrecv_http_cache_client_packets(mozilla_t)
3eaa9939 137corenet_sendrecv_squid_client_packets(mozilla_t)
296273a7
CP		 138corenet_sendrecv_ftp_client_packets(mozilla_t)
139corenet_sendrecv_ipp_client_packets(mozilla_t)
140corenet_sendrecv_generic_client_packets(mozilla_t)
141# Should not need other ports
142corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
143corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
06625d30 144corenet_tcp_connect_speech_port(mozilla_t)
296273a7
CP		 145
146dev_read_urand(mozilla_t)
147dev_read_rand(mozilla_t)
148dev_write_sound(mozilla_t)
149dev_read_sound(mozilla_t)
150dev_dontaudit_rw_dri(mozilla_t)
151dev_getattr_sysfs_dirs(mozilla_t)
152
b77daab0
CP		 153domain_dontaudit_read_all_domains_state(mozilla_t)
154
296273a7
CP		 155files_read_etc_runtime_files(mozilla_t)
156files_read_usr_files(mozilla_t)
157files_read_etc_files(mozilla_t)
158# /var/lib
159files_read_var_lib_files(mozilla_t)
160# interacting with gstreamer
161files_read_var_files(mozilla_t)
162files_read_var_symlinks(mozilla_t)
163files_dontaudit_getattr_boot_dirs(mozilla_t)
164
165fs_search_auto_mountpoints(mozilla_t)
166fs_list_inotifyfs(mozilla_t)
167fs_rw_tmpfs_files(mozilla_t)
168
169term_dontaudit_getattr_pty_dirs(mozilla_t)
170
b03af87d
DW		 171auth_use_nsswitch(mozilla_t)
172
296273a7
CP		 173logging_send_syslog_msg(mozilla_t)
174
175miscfiles_read_fonts(mozilla_t)
176miscfiles_read_localization(mozilla_t)
3c1e8ff6 177miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
296273a7
CP		 178
179# Browse the web, connect to printer
180sysnet_dns_name_resolve(mozilla_t)
181
af2d8802 182userdom_use_inherited_user_ptys(mozilla_t)
296273a7
CP		 183
184xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
185xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
186xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
187
4a093096 188tunable_policy(`allow_execstack',`
189 allow mozilla_t self:process execstack;
190')
191
192tunable_policy(`deny_execmem',`',`
193 allow mozilla_t self:process execmem;
296273a7
CP		 194')
195
ed2ac112 196userdom_home_manager(mozilla_t)
296273a7
CP		 197
198# Uploads, local html
199tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
200 fs_list_auto_mountpoints(mozilla_t)
201 files_list_home(mozilla_t)
202 fs_read_nfs_files(mozilla_t)
203 fs_read_nfs_symlinks(mozilla_t)
204
205',`
206 files_dontaudit_list_home(mozilla_t)
207 fs_dontaudit_list_auto_mountpoints(mozilla_t)
208 fs_dontaudit_read_nfs_files(mozilla_t)
209 fs_dontaudit_list_nfs(mozilla_t)
210')
211
212tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
213 fs_list_auto_mountpoints(mozilla_t)
214 files_list_home(mozilla_t)
215 fs_read_cifs_files(mozilla_t)
216 fs_read_cifs_symlinks(mozilla_t)
217',`
218 files_dontaudit_list_home(mozilla_t)
219 fs_dontaudit_list_auto_mountpoints(mozilla_t)
220 fs_dontaudit_read_cifs_files(mozilla_t)
221 fs_dontaudit_list_cifs(mozilla_t)
222')
223
224tunable_policy(`mozilla_read_content',`
225 userdom_list_user_tmp(mozilla_t)
226 userdom_read_user_tmp_files(mozilla_t)
227 userdom_read_user_tmp_symlinks(mozilla_t)
228 userdom_read_user_home_content_files(mozilla_t)
229 userdom_read_user_home_content_symlinks(mozilla_t)
230
b598c442 231 ifndef(`enable_mls',`
296273a7
CP		 232 fs_search_removable(mozilla_t)
233 fs_read_removable_files(mozilla_t)
234 fs_read_removable_symlinks(mozilla_t)
235 ')
236',`
237 files_dontaudit_list_tmp(mozilla_t)
238 files_dontaudit_list_home(mozilla_t)
239 fs_dontaudit_list_removable(mozilla_t)
240 fs_dontaudit_read_removable_files(mozilla_t)
241 userdom_dontaudit_list_user_tmp(mozilla_t)
242 userdom_dontaudit_read_user_tmp_files(mozilla_t)
243 userdom_dontaudit_list_user_home_dirs(mozilla_t)
244 userdom_dontaudit_read_user_home_content_files(mozilla_t)
245')
246
296273a7
CP		 247optional_policy(`
248 apache_read_user_scripts(mozilla_t)
249 apache_read_user_content(mozilla_t)
250')
251
252optional_policy(`
253 automount_dontaudit_getattr_tmp_dirs(mozilla_t)
254')
255
256optional_policy(`
257 cups_read_rw_config(mozilla_t)
258 cups_dbus_chat(mozilla_t)
259')
260
261optional_policy(`
262 dbus_system_bus_client(mozilla_t)
263 dbus_session_bus_client(mozilla_t)
b77daab0
CP		 264
265 optional_policy(`
266 networkmanager_dbus_chat(mozilla_t)
267 ')
296273a7
CP		 268')
269
270optional_policy(`
271 gnome_stream_connect_gconf(mozilla_t)
06625d30 272 gnome_manage_config(mozilla_t)
3eaa9939 273 gnome_manage_gconf_home_files(mozilla_t)
296273a7
CP		 274')
275
276optional_policy(`
277 java_domtrans(mozilla_t)
278')
279
280optional_policy(`
281 lpd_domtrans_lpr(mozilla_t)
282')
283
284optional_policy(`
285 mplayer_domtrans(mozilla_t)
286 mplayer_read_user_home_files(mozilla_t)
287')
288
3c1e8ff6
CP		 289optional_policy(`
290 pulseaudio_exec(mozilla_t)
291 pulseaudio_stream_connect(mozilla_t)
292 pulseaudio_manage_home_files(mozilla_t)
293')
294
296273a7
CP		 295optional_policy(`
296 thunderbird_domtrans(mozilla_t)
297')
3eaa9939
DW		 298
299########################################
300#
301# mozilla_plugin local policy
302#
e12b7e14 303
995bdbb1 304dontaudit mozilla_plugin_t self:capability sys_nice;
e12b7e14 305
f5b49a5e 306allow mozilla_plugin_t self:process { setsched signal_perms execmem };
4e6b3f6d 307allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
095debe0 308allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
4e6b3f6d 309allow mozilla_plugin_t self:udp_socket create_socket_perms;
803cc59a 310allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
3eaa9939
DW		 311
312allow mozilla_plugin_t self:sem create_sem_perms;
313allow mozilla_plugin_t self:shm create_shm_perms;
314allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
1021bec5 315allow mozilla_plugin_t self:unix_dgram_socket sendto;
3eaa9939
DW		 316allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
317
7cfb9354 318can_exec(mozilla_plugin_t, mozilla_home_t)
9944514c
MG		 319manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
320manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
321manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
3eaa9939 322
ef98a374
DW		 323manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
324manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
095debe0 325manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
1021bec5
DG		 326manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
327files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
328userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
ddd1ccaa 329can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
ef98a374 330
f5b49a5e
DW		 331manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
332manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
333manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
334manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
335fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
336
1a725aa0
DW		 337allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
338read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
339read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
340
0b8f4cfe
DW		 341can_exec(mozilla_plugin_t, mozilla_exec_t)
342
3eaa9939
DW		 343kernel_read_kernel_sysctls(mozilla_plugin_t)
344kernel_read_system_state(mozilla_plugin_t)
59650fa8 345kernel_read_network_state(mozilla_plugin_t)
3eaa9939
DW		 346kernel_request_load_module(mozilla_plugin_t)
347
348corecmd_exec_bin(mozilla_plugin_t)
349corecmd_exec_shell(mozilla_plugin_t)
350
2ad0c1a6 351corenet_tcp_connect_generic_port(mozilla_plugin_t)
b45aaab9
DW		 352corenet_tcp_connect_flash_port(mozilla_plugin_t)
353corenet_tcp_connect_streaming_port(mozilla_plugin_t)
354corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
355corenet_tcp_connect_http_port(mozilla_plugin_t)
356corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
357corenet_tcp_connect_squid_port(mozilla_plugin_t)
358corenet_tcp_connect_ipp_port(mozilla_plugin_t)
61beb367 359corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
b45aaab9 360corenet_tcp_connect_speech_port(mozilla_plugin_t)
1af3b1e8 361corenet_tcp_connect_streaming_port(mozilla_plugin_t)
cd98bfa7
MG		 362corenet_tcp_connect_ftp_port(mozilla_plugin_t)
363corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
6cbe7690
MG		 364corenet_tcp_bind_generic_node(mozilla_plugin_t)
365corenet_udp_bind_generic_node(mozilla_plugin_t)
b45aaab9 366
095debe0 367dev_read_rand(mozilla_plugin_t)
3eaa9939 368dev_read_urand(mozilla_plugin_t)
f5b49a5e 369dev_read_video_dev(mozilla_plugin_t)
b45aaab9 370dev_write_video_dev(mozilla_plugin_t)
f5b49a5e 371dev_read_sysfs(mozilla_plugin_t)
0b8f4cfe
DW		 372dev_read_sound(mozilla_plugin_t)
373dev_write_sound(mozilla_plugin_t)
61beb367
MG		 374# for nvidia driver
375dev_rw_xserver_misc(mozilla_plugin_t)
4e6b3f6d 376dev_dontaudit_rw_dri(mozilla_plugin_t)
3eaa9939
DW		 377
378domain_use_interactive_fds(mozilla_plugin_t)
379domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
380
381files_read_config_files(mozilla_plugin_t)
382files_read_usr_files(mozilla_plugin_t)
095debe0 383files_list_mnt(mozilla_plugin_t)
3eaa9939 384
e160b2c6 385fs_getattr_all_fs(mozilla_plugin_t)
b598c442 386fs_list_dos(mozilla_plugin_t)
095debe0 387fs_read_dos_files(mozilla_plugin_t)
ef98a374 388
751ec039
DW		 389application_dontaudit_signull(mozilla_plugin_t)
390
9ba3eded
MG		 391auth_use_nsswitch(mozilla_plugin_t)
392
6cbe7690
MG		 393logging_send_syslog_msg(mozilla_plugin_t)
394
3eaa9939 395miscfiles_read_localization(mozilla_plugin_t)
f5b49a5e 396miscfiles_read_fonts(mozilla_plugin_t)
81ac3780 397miscfiles_read_generic_certs(mozilla_plugin_t)
d889c6bb 398miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
b9af7893 399miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
3eaa9939 400
79bff2bb
DW		 401sysnet_dns_name_resolve(mozilla_plugin_t)
402
3eaa9939
DW		 403term_getattr_all_ttys(mozilla_plugin_t)
404term_getattr_all_ptys(mozilla_plugin_t)
405
ef98a374 406userdom_rw_user_tmpfs_files(mozilla_plugin_t)
5212892e 407userdom_delete_user_tmpfs_files(mozilla_plugin_t)
57ce3836 408userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
ddd1ccaa 409userdom_manage_user_tmp_sockets(mozilla_plugin_t)
d1c6ba20 410userdom_manage_user_tmp_dirs(mozilla_plugin_t)
4e6b3f6d
DW		 411userdom_read_user_tmp_files(mozilla_plugin_t)
412userdom_read_user_tmp_symlinks(mozilla_plugin_t)
e3b5785f
MG		 413userdom_stream_connect(mozilla_plugin_t)
414userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
415
5212892e 416userdom_read_user_home_content_files(mozilla_plugin_t)
4e6b3f6d 417userdom_read_user_home_content_symlinks(mozilla_plugin_t)
da61030d 418userdom_read_home_certs(mozilla_plugin_t)
f06e4c22 419userdom_dontaudit_write_home_certs(mozilla_plugin_t)
c83e3b91 420userdom_read_home_audio_files(mozilla_plugin_t)
f5b49a5e 421
4a093096 422tunable_policy(`deny_execmem',`', `
423 allow mozilla_plugin_t self:process execmem;
d79b5476
DW		 424')
425
426tunable_policy(`allow_execstack',`
4a093096 427 allow mozilla_plugin_t self:process execstack;
d79b5476
DW		 428')
429
ed2ac112 430userdom_home_manager(mozilla_plugin_t)
0b8f4cfe 431
f5b49a5e 432optional_policy(`
b598c442
CP		 433 alsa_read_rw_config(mozilla_plugin_t)
434 alsa_read_home_files(mozilla_plugin_t)
1021bec5
DG		 435')
436
437optional_policy(`
6cbe7690 438 dbus_system_bus_client(mozilla_plugin_t)
4e6b3f6d 439 dbus_session_bus_client(mozilla_plugin_t)
f5b49a5e
DW		 440 dbus_read_lib_files(mozilla_plugin_t)
441')
6cbe7690
MG		 442
443optional_policy(`
e3b5785f 444 git_dontaudit_read_session_content_files(mozilla_plugin_t)
6cbe7690 445')
f5b49a5e 446
e3b5785f 447
f5b49a5e 448optional_policy(`
79bff2bb 449 gnome_manage_config(mozilla_plugin_t)
e9b18e23 450 gnome_read_usr_config(mozilla_plugin_t)
f5b49a5e 451')
ef98a374 452
095debe0
DW		 453optional_policy(`
454 java_exec(mozilla_plugin_t)
455')
456
67f46f2d
DW		 457optional_policy(`
458 mplayer_exec(mozilla_plugin_t)
459 mplayer_read_user_home_files(mozilla_plugin_t)
460')
461
f5b49a5e 462optional_policy(`
b45aaab9
DW		 463 pulseaudio_exec(mozilla_plugin_t)
464 pulseaudio_stream_connect(mozilla_plugin_t)
79bff2bb 465 pulseaudio_setattr_home_dir(mozilla_plugin_t)
b45aaab9 466 pulseaudio_manage_home_files(mozilla_plugin_t)
1021bec5 467 pulseaudio_manage_home_symlinks(mozilla_plugin_t)
3eaa9939
DW		 468')
469
c7abc020
MG		 470optional_policy(`
471 pcscd_stream_connect(mozilla_plugin_t)
472')
473
1021bec5
DG		 474optional_policy(`
475 rtkit_scheduled(mozilla_plugin_t)
476')
477
478optional_policy(`
479 udev_read_db(mozilla_plugin_t)
480')
481
3eaa9939
DW		 482optional_policy(`
483 xserver_read_xdm_pid(mozilla_plugin_t)
484 xserver_stream_connect(mozilla_plugin_t)
0b8f4cfe 485 xserver_use_user_fonts(mozilla_plugin_t)
ddd1ccaa 486 xserver_read_user_iceauth(mozilla_plugin_t)
97ec2391 487 xserver_read_user_xauth(mozilla_plugin_t)
9c306697 488 xserver_append_xdm_home_files(mozilla_plugin_t);
3eaa9939 489')
36da87c2 490
1a725aa0
DW		 491########################################
492#
493# mozilla_plugin_config local policy
494#
495
496allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
497allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
498
499allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
500allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
501
1a725aa0
DW		 502dev_search_sysfs(mozilla_plugin_config_t)
503dev_read_urand(mozilla_plugin_config_t)
504dev_dontaudit_read_rand(mozilla_plugin_config_t)
505dev_dontaudit_rw_dri(mozilla_plugin_config_t)
506
507fs_search_auto_mountpoints(mozilla_plugin_config_t)
508fs_list_inotifyfs(mozilla_plugin_config_t)
509
510can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
511manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
512manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
513manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
514
6abefeab
DW		 515manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
516manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
517manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
1a725aa0
DW		 518
519corecmd_exec_bin(mozilla_plugin_config_t)
520corecmd_exec_shell(mozilla_plugin_config_t)
521
522kernel_read_system_state(mozilla_plugin_config_t)
523kernel_request_load_module(mozilla_plugin_config_t)
524
525domain_use_interactive_fds(mozilla_plugin_config_t)
526
527files_read_etc_files(mozilla_plugin_config_t)
528files_read_usr_files(mozilla_plugin_config_t)
529files_dontaudit_search_home(mozilla_plugin_config_t)
530files_list_tmp(mozilla_plugin_config_t)
531
532auth_use_nsswitch(mozilla_plugin_config_t)
533
534miscfiles_read_localization(mozilla_plugin_config_t)
535miscfiles_read_fonts(mozilla_plugin_config_t)
536
537userdom_search_user_home_content(mozilla_plugin_config_t)
538userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
539userdom_read_user_home_content_files(mozilla_plugin_config_t)
540userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
f8a3603f 541userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
1a725aa0
DW		 542
543domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
544
545optional_policy(`
546 xserver_use_user_fonts(mozilla_plugin_config_t)
547')
0fbec907
DW		 548ifdef(`distro_redhat',`
549 typealias mozilla_plugin_t alias nsplugin_t;
550 typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
551 typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
552 typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
553 typealias mozilla_home_t alias nsplugin_home_t;
554 typealias mozilla_plugin_config_t alias nsplugin_config_t;
555 typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
556')
The IPFire selinux policy.