Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8DAFC43387 for ; Sat, 12 Jan 2019 05:19:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3FAE12084E for ; Sat, 12 Jan 2019 05:19:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="RutnOvWU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725791AbfALFTW (ORCPT ); Sat, 12 Jan 2019 00:19:22 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:40658 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725372AbfALFTW (ORCPT ); Sat, 12 Jan 2019 00:19:22 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 0D324EDAA for ; Sat, 12 Jan 2019 16:19:15 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1547270355; bh=bKrhjgoCstv+goPlcZq9IFYDEbB6++mALIT0pmvQLxg=; l=90498; h=Date:From:To:Subject:From; b=RutnOvWUSlinksbgFLPlxOf2Wyfm67Qg66nikynD0VzrXANQIyyhvnvluDzb3ox2u mxxla0iw8BXTkSX+KSwZlkqhCMHs4DqamkHZxC9i4dyOu97E3v4mVoGHn2P8X26kg/ 2PSNxvk9oNE0omRs5g4SzoLx/pmFAojf8+4Nsgkc= Received: by xev.coker.com.au (Postfix, from userid 1001) id 29BDDC4ED4E; Sat, 12 Jan 2019 16:19:09 +1100 (AEDT) Date: Sat, 12 Jan 2019 16:19:09 +1100 From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] s/mozilla/webbrowser/g Message-ID: <20190112051909.GA7745@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch as requested renames mozilla to webbrowser and adds appropriate typealias rules. Index: refpolicy-2.20180701/policy/modules/apps/mozilla.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.te +++ refpolicy-2.20180701/policy/modules/apps/mozilla.te @@ -7,335 +7,346 @@ policy_module(mozilla, 2.14.1) ## ##

-## Determine whether mozilla can +## Determine whether web browser can ## make its stack executable. ##

##
-gen_tunable(mozilla_execstack, false) +gen_tunable(webbrowser_execstack, false) -attribute_role mozilla_roles; -attribute_role mozilla_plugin_roles; -attribute_role mozilla_plugin_config_roles; +attribute_role webbrowser_roles; +attribute_role webbrowser_plugin_roles; +attribute_role webbrowser_plugin_config_roles; -type mozilla_t; -type mozilla_exec_t; -typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; -userdom_user_application_domain(mozilla_t, mozilla_exec_t) -role mozilla_roles types mozilla_t; +type webbrowser_t; +type webbrowser_exec_t; +typealias webbrowser_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; +typealias webbrowser_t alias { auditadm_mozilla_t secadm_mozilla_t mozilla_t }; +typealias webbrowser_exec_t alias { mozilla_exec_t }; +userdom_user_application_domain(webbrowser_t, webbrowser_exec_t) +role webbrowser_roles types webbrowser_t; optional_policy(` - wm_application_domain(mozilla_t, mozilla_exec_t) + wm_application_domain(webbrowser_t, webbrowser_exec_t) ') -type mozilla_home_t; -typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; -typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -userdom_user_home_content(mozilla_home_t) +type webbrowser_home_t; +typealias webbrowser_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +typealias webbrowser_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t mozilla_home_t }; +userdom_user_home_content(webbrowser_home_t) -type mozilla_plugin_t; -type mozilla_plugin_exec_t; -userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -role mozilla_plugin_roles types mozilla_plugin_t; +type webbrowser_plugin_t; +type webbrowser_plugin_exec_t; +typealias webbrowser_plugin_t alias { mozilla_plugin_t }; +typealias webbrowser_plugin_exec_t alias { mozilla_plugin_exec_t }; +userdom_user_application_domain(webbrowser_plugin_t, webbrowser_plugin_exec_t) +role webbrowser_plugin_roles types webbrowser_plugin_t; -type mozilla_plugin_home_t; -userdom_user_home_content(mozilla_plugin_home_t) +type webbrowser_plugin_home_t; +typealias webbrowser_plugin_home_t alias { mozilla_plugin_home_t }; +userdom_user_home_content(webbrowser_plugin_home_t) -type mozilla_plugin_tmp_t; -userdom_user_tmp_file(mozilla_plugin_tmp_t) +type webbrowser_plugin_tmp_t; +typealias webbrowser_plugin_tmp_t alias { mozilla_plugin_tmp_t }; +userdom_user_tmp_file(webbrowser_plugin_tmp_t) -type mozilla_plugin_tmpfs_t; -userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) +type webbrowser_plugin_tmpfs_t; +typealias webbrowser_plugin_tmpfs_t alias { mozilla_plugin_tmpfs_t }; +userdom_user_tmpfs_file(webbrowser_plugin_tmpfs_t) optional_policy(` - pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) + pulseaudio_tmpfs_content(webbrowser_plugin_tmpfs_t) ') -type mozilla_plugin_rw_t; -files_type(mozilla_plugin_rw_t) +type webbrowser_plugin_rw_t; +typealias webbrowser_plugin_rw_t alias { mozilla_plugin_rw_t }; +files_type(webbrowser_plugin_rw_t) -type mozilla_plugin_config_t; -type mozilla_plugin_config_exec_t; -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -role mozilla_plugin_config_roles types mozilla_plugin_config_t; +type webbrowser_plugin_config_t; +typealias webbrowser_plugin_config_t alias { mozilla_plugin_config_t }; +type webbrowser_plugin_config_exec_t; +typealias webbrowser_plugin_config_exec_t alias { mozilla_plugin_config_exec_t }; +userdom_user_application_domain(webbrowser_plugin_config_t, webbrowser_plugin_config_exec_t) +role webbrowser_plugin_config_roles types webbrowser_plugin_config_t; -type mozilla_tmp_t; -userdom_user_tmp_file(mozilla_tmp_t) +type webbrowser_tmp_t; +typealias webbrowser_tmp_t alias { mozilla_tmp_t }; +userdom_user_tmp_file(webbrowser_tmp_t) -type mozilla_tmpfs_t; -typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; -typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; -userdom_user_tmpfs_file(mozilla_tmpfs_t) +type webbrowser_tmpfs_t; +typealias webbrowser_tmpfs_t alias { mozilla_tmpfs_t }; +typealias webbrowser_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; +typealias webbrowser_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; +userdom_user_tmpfs_file(webbrowser_tmpfs_t) optional_policy(` - pulseaudio_tmpfs_content(mozilla_tmpfs_t) + pulseaudio_tmpfs_content(webbrowser_tmpfs_t) ') -type mozilla_xdg_cache_t; -xdg_cache_content(mozilla_xdg_cache_t) +type webbrowser_xdg_cache_t; +xdg_cache_content(webbrowser_xdg_cache_t) ######################################## # # Local policy # -allow mozilla_t self:capability { setgid setuid sys_nice }; -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -allow mozilla_t self:fifo_file rw_fifo_file_perms; -allow mozilla_t self:shm create_shm_perms; -allow mozilla_t self:sem create_sem_perms; -allow mozilla_t self:socket create_socket_perms; -allow mozilla_t self:unix_stream_socket { accept listen }; - -allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; -allow mozilla_t mozilla_plugin_t:fd use; - -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; -allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") - -filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - -manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -allow mozilla_t mozilla_tmp_t:file map; -files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) - -manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) -allow mozilla_t mozilla_plugin_tmpfs_t:file map; - -allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - -manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t) -manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t) -xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla") - -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) - -kernel_read_kernel_sysctls(mozilla_t) -kernel_read_network_state(mozilla_t) -kernel_read_system_state(mozilla_t) -kernel_read_net_sysctls(mozilla_t) - -corecmd_list_bin(mozilla_t) -corecmd_exec_shell(mozilla_t) -corecmd_exec_bin(mozilla_t) - -corenet_all_recvfrom_unlabeled(mozilla_t) -corenet_all_recvfrom_netlabel(mozilla_t) -corenet_tcp_sendrecv_generic_if(mozilla_t) -corenet_tcp_sendrecv_generic_node(mozilla_t) - -corenet_sendrecv_http_client_packets(mozilla_t) -corenet_tcp_connect_http_port(mozilla_t) -corenet_tcp_sendrecv_http_port(mozilla_t) - -corenet_sendrecv_http_cache_client_packets(mozilla_t) -corenet_tcp_connect_http_cache_port(mozilla_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_t) - -corenet_sendrecv_squid_client_packets(mozilla_t) -corenet_tcp_connect_squid_port(mozilla_t) -corenet_tcp_sendrecv_squid_port(mozilla_t) - -corenet_sendrecv_ftp_client_packets(mozilla_t) -corenet_tcp_connect_ftp_port(mozilla_t) -corenet_tcp_sendrecv_ftp_port(mozilla_t) - -corenet_sendrecv_ipp_client_packets(mozilla_t) -corenet_tcp_connect_ipp_port(mozilla_t) -corenet_tcp_sendrecv_ipp_port(mozilla_t) - -corenet_sendrecv_soundd_client_packets(mozilla_t) -corenet_tcp_connect_soundd_port(mozilla_t) -corenet_tcp_sendrecv_soundd_port(mozilla_t) - -corenet_sendrecv_speech_client_packets(mozilla_t) -corenet_tcp_connect_speech_port(mozilla_t) -corenet_tcp_sendrecv_speech_port(mozilla_t) - -dev_getattr_sysfs_dirs(mozilla_t) -dev_read_sysfs(mozilla_t) -dev_read_sound(mozilla_t) -dev_read_rand(mozilla_t) -dev_read_urand(mozilla_t) -dev_rw_dri(mozilla_t) -dev_write_sound(mozilla_t) - -domain_dontaudit_read_all_domains_state(mozilla_t) - -files_read_etc_runtime_files(mozilla_t) -files_map_usr_files(mozilla_t) -files_read_usr_files(mozilla_t) -files_read_var_files(mozilla_t) -files_read_var_lib_files(mozilla_t) -files_read_var_symlinks(mozilla_t) -files_dontaudit_getattr_boot_dirs(mozilla_t) - -fs_getattr_all_fs(mozilla_t) -fs_search_auto_mountpoints(mozilla_t) -fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) - -term_dontaudit_getattr_pty_dirs(mozilla_t) - -auth_use_nsswitch(mozilla_t) - -logging_send_syslog_msg(mozilla_t) - -miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) -miscfiles_read_localization(mozilla_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) - -userdom_use_user_ptys(mozilla_t) - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -userdom_map_user_tmp_files(mozilla_t) - -userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) - -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) - -xdg_read_config_files(mozilla_t) -xdg_read_data_files(mozilla_t) -xdg_manage_downloads(mozilla_t) - -xserver_rw_mesa_shader_cache(mozilla_t) -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) -xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) +allow webbrowser_t self:capability { setgid setuid sys_nice }; +allow webbrowser_t self:process { sigkill signal setsched getsched setrlimit }; +allow webbrowser_t self:fifo_file rw_fifo_file_perms; +allow webbrowser_t self:shm create_shm_perms; +allow webbrowser_t self:sem create_sem_perms; +allow webbrowser_t self:socket create_socket_perms; +allow webbrowser_t self:unix_stream_socket { accept listen }; + +allow webbrowser_t webbrowser_plugin_t:unix_stream_socket rw_socket_perms; +allow webbrowser_t webbrowser_plugin_t:fd use; + +allow webbrowser_t { webbrowser_home_t webbrowser_plugin_home_t }:dir manage_dir_perms; +allow webbrowser_t { webbrowser_home_t webbrowser_plugin_home_t }:file { manage_file_perms map }; +allow webbrowser_t webbrowser_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(webbrowser_t, webbrowser_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(webbrowser_t, webbrowser_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(webbrowser_t, webbrowser_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(webbrowser_t, webbrowser_home_t, dir, ".phoenix") + +filetrans_pattern(webbrowser_t, webbrowser_home_t, webbrowser_plugin_home_t, dir, "plugins") + +manage_files_pattern(webbrowser_t, webbrowser_tmp_t, webbrowser_tmp_t) +manage_lnk_files_pattern(webbrowser_t, webbrowser_tmp_t, webbrowser_tmp_t) +manage_dirs_pattern(webbrowser_t, webbrowser_tmp_t, webbrowser_tmp_t) +allow webbrowser_t webbrowser_tmp_t:file map; +files_tmp_filetrans(webbrowser_t, webbrowser_tmp_t, { file dir }) + +manage_files_pattern(webbrowser_t, webbrowser_tmpfs_t, webbrowser_tmpfs_t) +manage_lnk_files_pattern(webbrowser_t, webbrowser_tmpfs_t, webbrowser_tmpfs_t) +manage_fifo_files_pattern(webbrowser_t, webbrowser_tmpfs_t, webbrowser_tmpfs_t) +manage_sock_files_pattern(webbrowser_t, webbrowser_tmpfs_t, webbrowser_tmpfs_t) +fs_tmpfs_filetrans(webbrowser_t, webbrowser_tmpfs_t, { file lnk_file sock_file fifo_file }) +allow webbrowser_t webbrowser_plugin_tmpfs_t:file map; + +allow webbrowser_t webbrowser_plugin_rw_t:dir list_dir_perms; +allow webbrowser_t webbrowser_plugin_rw_t:file read_file_perms; +allow webbrowser_t webbrowser_plugin_rw_t:lnk_file read_lnk_file_perms; + +stream_connect_pattern(webbrowser_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_t) + +manage_files_pattern(webbrowser_t, webbrowser_xdg_cache_t, webbrowser_xdg_cache_t) +manage_dirs_pattern(webbrowser_t, webbrowser_xdg_cache_t, webbrowser_xdg_cache_t) +xdg_cache_filetrans(webbrowser_t, webbrowser_xdg_cache_t, dir, "mozilla") + +can_exec(webbrowser_t, { webbrowser_exec_t webbrowser_plugin_rw_t webbrowser_plugin_home_t }) + +kernel_read_kernel_sysctls(webbrowser_t) +kernel_read_network_state(webbrowser_t) +kernel_read_system_state(webbrowser_t) +kernel_read_net_sysctls(webbrowser_t) + +corecmd_list_bin(webbrowser_t) +corecmd_exec_shell(webbrowser_t) +corecmd_exec_bin(webbrowser_t) + +corenet_all_recvfrom_unlabeled(webbrowser_t) +corenet_all_recvfrom_netlabel(webbrowser_t) +corenet_tcp_sendrecv_generic_if(webbrowser_t) +corenet_tcp_sendrecv_generic_node(webbrowser_t) + +corenet_sendrecv_http_client_packets(webbrowser_t) +corenet_tcp_connect_http_port(webbrowser_t) +corenet_tcp_sendrecv_http_port(webbrowser_t) + +corenet_sendrecv_http_cache_client_packets(webbrowser_t) +corenet_tcp_connect_http_cache_port(webbrowser_t) +corenet_tcp_sendrecv_http_cache_port(webbrowser_t) + +corenet_sendrecv_squid_client_packets(webbrowser_t) +corenet_tcp_connect_squid_port(webbrowser_t) +corenet_tcp_sendrecv_squid_port(webbrowser_t) + +corenet_sendrecv_ftp_client_packets(webbrowser_t) +corenet_tcp_connect_ftp_port(webbrowser_t) +corenet_tcp_sendrecv_ftp_port(webbrowser_t) + +corenet_sendrecv_ipp_client_packets(webbrowser_t) +corenet_tcp_connect_ipp_port(webbrowser_t) +corenet_tcp_sendrecv_ipp_port(webbrowser_t) + +corenet_sendrecv_soundd_client_packets(webbrowser_t) +corenet_tcp_connect_soundd_port(webbrowser_t) +corenet_tcp_sendrecv_soundd_port(webbrowser_t) + +corenet_sendrecv_speech_client_packets(webbrowser_t) +corenet_tcp_connect_speech_port(webbrowser_t) +corenet_tcp_sendrecv_speech_port(webbrowser_t) + +dev_getattr_sysfs_dirs(webbrowser_t) +dev_read_sysfs(webbrowser_t) +dev_read_sound(webbrowser_t) +dev_read_rand(webbrowser_t) +dev_read_urand(webbrowser_t) +dev_rw_dri(webbrowser_t) +dev_write_sound(webbrowser_t) + +domain_dontaudit_read_all_domains_state(webbrowser_t) + +files_read_etc_runtime_files(webbrowser_t) +files_map_usr_files(webbrowser_t) +files_read_usr_files(webbrowser_t) +files_read_var_files(webbrowser_t) +files_read_var_lib_files(webbrowser_t) +files_read_var_symlinks(webbrowser_t) +files_dontaudit_getattr_boot_dirs(webbrowser_t) + +fs_getattr_all_fs(webbrowser_t) +fs_search_auto_mountpoints(webbrowser_t) +fs_list_inotifyfs(webbrowser_t) +fs_rw_tmpfs_files(webbrowser_t) + +term_dontaudit_getattr_pty_dirs(webbrowser_t) + +auth_use_nsswitch(webbrowser_t) + +logging_send_syslog_msg(webbrowser_t) + +miscfiles_read_fonts(webbrowser_t) +miscfiles_read_generic_certs(webbrowser_t) +miscfiles_read_localization(webbrowser_t) +miscfiles_dontaudit_setattr_fonts_dirs(webbrowser_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(webbrowser_t) + +userdom_use_user_ptys(webbrowser_t) + +userdom_manage_user_tmp_dirs(webbrowser_t) +userdom_manage_user_tmp_files(webbrowser_t) +userdom_map_user_tmp_files(webbrowser_t) + +userdom_user_content_access_template(webbrowser, { webbrowser_t webbrowser_plugin_t }) +userdom_user_home_dir_filetrans_user_home_content(webbrowser_t, { dir file }) + +userdom_write_user_tmp_sockets(webbrowser_t) + +webbrowser_run_plugin(webbrowser_t, webbrowser_roles) +webbrowser_run_plugin_config(webbrowser_t, webbrowser_roles) + +xdg_read_config_files(webbrowser_t) +xdg_read_data_files(webbrowser_t) +xdg_manage_downloads(webbrowser_t) + +xserver_rw_mesa_shader_cache(webbrowser_t) +xserver_user_x_domain_template(webbrowser, webbrowser_t, webbrowser_tmpfs_t) +xserver_dontaudit_read_xdm_tmp_files(webbrowser_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(webbrowser_t) ifndef(`enable_mls',` - fs_list_dos(mozilla_t) - fs_read_dos_files(mozilla_t) + fs_list_dos(webbrowser_t) + fs_read_dos_files(webbrowser_t) - fs_search_removable(mozilla_t) - fs_read_removable_files(mozilla_t) - fs_read_removable_symlinks(mozilla_t) + fs_search_removable(webbrowser_t) + fs_read_removable_files(webbrowser_t) + fs_read_removable_symlinks(webbrowser_t) - fs_read_iso9660_files(mozilla_t) + fs_read_iso9660_files(webbrowser_t) ') tunable_policy(`allow_execmem',` - allow mozilla_t self:process execmem; + allow webbrowser_t self:process execmem; ') -tunable_policy(`mozilla_execstack',` - allow mozilla_t self:process { execmem execstack }; +tunable_policy(`webbrowser_execstack',` + allow webbrowser_t self:process { execmem execstack }; ') tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_t) - fs_manage_nfs_files(mozilla_t) - fs_manage_nfs_symlinks(mozilla_t) + fs_manage_nfs_dirs(webbrowser_t) + fs_manage_nfs_files(webbrowser_t) + fs_manage_nfs_symlinks(webbrowser_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_t) - fs_manage_cifs_files(mozilla_t) - fs_manage_cifs_symlinks(mozilla_t) + fs_manage_cifs_dirs(webbrowser_t) + fs_manage_cifs_files(webbrowser_t) + fs_manage_cifs_symlinks(webbrowser_t) ') optional_policy(` - alsa_read_config(mozilla_t) - alsa_read_home_files(mozilla_t) + alsa_read_config(webbrowser_t) + alsa_read_home_files(webbrowser_t) ') optional_policy(` - apache_read_user_scripts(mozilla_t) - apache_read_user_content(mozilla_t) + apache_read_user_scripts(webbrowser_t) + apache_read_user_content(webbrowser_t) ') optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_t) + automount_dontaudit_getattr_tmp_dirs(webbrowser_t) ') optional_policy(` - cups_read_rw_config(mozilla_t) - cups_stream_connect(mozilla_t) + cups_read_rw_config(webbrowser_t) + cups_stream_connect(webbrowser_t) ') optional_policy(` - dbus_all_session_bus_client(mozilla_t) - dbus_connect_all_session_bus(mozilla_t) - dbus_system_bus_client(mozilla_t) + dbus_all_session_bus_client(webbrowser_t) + dbus_connect_all_session_bus(webbrowser_t) + dbus_system_bus_client(webbrowser_t) optional_policy(` - cups_dbus_chat(mozilla_t) + cups_dbus_chat(webbrowser_t) ') optional_policy(` - mozilla_dbus_chat_plugin(mozilla_t) + webbrowser_dbus_chat_plugin(webbrowser_t) ') optional_policy(` - networkmanager_dbus_chat(mozilla_t) + networkmanager_dbus_chat(webbrowser_t) ') ') optional_policy(` - evolution_domtrans(mozilla_t) + evolution_domtrans(webbrowser_t) ') optional_policy(` - gnome_stream_connect_gconf(mozilla_t) - gnome_manage_generic_gconf_home_content(mozilla_t) - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") - gnome_manage_generic_home_content(mozilla_t) - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_stream_connect_gconf(webbrowser_t) + gnome_manage_generic_gconf_home_content(webbrowser_t) + gnome_home_filetrans_gconf_home(webbrowser_t, dir, ".gconf") + gnome_home_filetrans_gconf_home(webbrowser_t, dir, ".gconfd") + gnome_manage_generic_home_content(webbrowser_t) + gnome_home_filetrans_gnome_home(webbrowser_t, dir, ".gnome") + gnome_home_filetrans_gnome_home(webbrowser_t, dir, ".gnome2") + gnome_home_filetrans_gnome_home(webbrowser_t, dir, ".gnome2_private") ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_manage_java_tmp(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") + java_exec(webbrowser_t) + java_manage_generic_home_content(webbrowser_t) + java_manage_java_tmp(webbrowser_t) + java_home_filetrans_java_home(webbrowser_t, dir, ".java") ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) + lpd_run_lpr(webbrowser_t, webbrowser_roles) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") + mplayer_exec(webbrowser_t) + mplayer_manage_generic_home_content(webbrowser_t) + mplayer_home_filetrans_mplayer_home(webbrowser_t, dir, ".mplayer") ') optional_policy(` - ooffice_domtrans(mozilla_t) - ooffice_rw_tmp_files(mozilla_t) + ooffice_domtrans(webbrowser_t) + ooffice_rw_tmp_files(webbrowser_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) + pulseaudio_run(webbrowser_t, webbrowser_roles) ') optional_policy(` - thunderbird_domtrans(mozilla_t) + thunderbird_domtrans(webbrowser_t) ') ######################################## @@ -343,282 +354,282 @@ optional_policy(` # Plugin local policy # -dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; -allow mozilla_plugin_t self:sem create_sem_perms; -allow mozilla_plugin_t self:shm create_shm_perms; -allow mozilla_plugin_t self:tcp_socket { accept listen }; -allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; - -allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; -allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; -allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; -allow mozilla_plugin_t mozilla_t:sem create_sem_perms; - -manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -allow mozilla_plugin_t mozilla_home_t:file map; - -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") - -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata") - -filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - -manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) - -allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms; - -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - -allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) - -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) - -kernel_read_all_sysctls(mozilla_plugin_t) -kernel_read_system_state(mozilla_plugin_t) -kernel_read_network_state(mozilla_plugin_t) -kernel_request_load_module(mozilla_plugin_t) -kernel_dontaudit_getattr_core_if(mozilla_plugin_t) - -corecmd_exec_bin(mozilla_plugin_t) -corecmd_exec_shell(mozilla_plugin_t) - -corenet_all_recvfrom_netlabel(mozilla_plugin_t) -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) - -corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) -corenet_tcp_connect_asterisk_port(mozilla_plugin_t) -corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) - -corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ftp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) - -corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) -corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) -corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) - -corenet_sendrecv_http_client_packets(mozilla_plugin_t) -corenet_tcp_connect_http_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_port(mozilla_plugin_t) - -corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) -corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) - -corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ipp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) - -corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ircd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) - -corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) -corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) -corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) - -corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) -corenet_tcp_connect_mmcc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) - -corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_monopd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) - -corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_soundd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) - -corenet_sendrecv_speech_client_packets(mozilla_plugin_t) -corenet_tcp_connect_speech_port(mozilla_plugin_t) -corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) - -corenet_sendrecv_squid_client_packets(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) -corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) - -corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) -corenet_tcp_connect_vnc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) - -dev_read_generic_usb_dev(mozilla_plugin_t) -dev_read_rand(mozilla_plugin_t) -dev_read_realtime_clock(mozilla_plugin_t) -dev_read_sound(mozilla_plugin_t) -dev_read_sysfs(mozilla_plugin_t) -dev_read_urand(mozilla_plugin_t) -dev_read_video_dev(mozilla_plugin_t) -dev_write_sound(mozilla_plugin_t) -dev_write_video_dev(mozilla_plugin_t) -dev_rw_dri(mozilla_plugin_t) -dev_rw_xserver_misc(mozilla_plugin_t) - -dev_dontaudit_getattr_generic_files(mozilla_plugin_t) -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) - -domain_use_interactive_fds(mozilla_plugin_t) -domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - -files_exec_usr_files(mozilla_plugin_t) -files_list_mnt(mozilla_plugin_t) -files_read_config_files(mozilla_plugin_t) -files_read_usr_files(mozilla_plugin_t) -files_map_usr_files(mozilla_plugin_t) - -fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) -fs_search_auto_mountpoints(mozilla_plugin_t) - -term_getattr_all_ttys(mozilla_plugin_t) -term_getattr_all_ptys(mozilla_plugin_t) - -application_exec(mozilla_plugin_t) - -auth_use_nsswitch(mozilla_plugin_t) - -libs_exec_ld_so(mozilla_plugin_t) -libs_exec_lib_files(mozilla_plugin_t) - -logging_send_syslog_msg(mozilla_plugin_t) - -miscfiles_read_localization(mozilla_plugin_t) -miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) -miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) - -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -userdom_map_user_tmp_files(mozilla_plugin_t) +dontaudit webbrowser_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; +allow webbrowser_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; +allow webbrowser_plugin_t self:fifo_file manage_fifo_file_perms; +allow webbrowser_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; +allow webbrowser_plugin_t self:sem create_sem_perms; +allow webbrowser_plugin_t self:shm create_shm_perms; +allow webbrowser_plugin_t self:tcp_socket { accept listen }; +allow webbrowser_plugin_t self:unix_stream_socket { accept connectto listen }; + +allow webbrowser_plugin_t webbrowser_t:unix_stream_socket rw_socket_perms; +allow webbrowser_plugin_t webbrowser_t:unix_dgram_socket rw_socket_perms; +allow webbrowser_plugin_t webbrowser_t:shm { rw_shm_perms destroy }; +allow webbrowser_plugin_t webbrowser_t:sem create_sem_perms; + +manage_dirs_pattern(webbrowser_plugin_t, { webbrowser_home_t webbrowser_plugin_home_t }, { webbrowser_home_t webbrowser_plugin_home_t }) +manage_files_pattern(webbrowser_plugin_t, { webbrowser_home_t webbrowser_plugin_home_t }, webbrowser_plugin_home_t) +manage_lnk_files_pattern(webbrowser_plugin_t, { webbrowser_home_t webbrowser_plugin_home_t }, webbrowser_plugin_home_t) +allow webbrowser_plugin_t webbrowser_home_t:file map; + +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_home_t, dir, ".phoenix") + +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".adobe") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".macromedia") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".gnash") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".gcjwebplugin") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".icedteaplugin") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".spicec") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, ".ICAClient") +userdom_user_home_dir_filetrans(webbrowser_plugin_t, webbrowser_plugin_home_t, dir, "zimbrauserdata") + +filetrans_pattern(webbrowser_plugin_t, webbrowser_home_t, webbrowser_plugin_home_t, dir, "plugins") + +manage_dirs_pattern(webbrowser_plugin_t, webbrowser_plugin_tmp_t, webbrowser_plugin_tmp_t) +manage_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmp_t, webbrowser_plugin_tmp_t) +manage_fifo_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmp_t, webbrowser_plugin_tmp_t) +files_tmp_filetrans(webbrowser_plugin_t, webbrowser_plugin_tmp_t, { dir file fifo_file }) +userdom_user_tmp_filetrans(webbrowser_plugin_t, webbrowser_plugin_tmp_t, { dir file fifo_file }) + +allow webbrowser_plugin_t webbrowser_tmp_t:file rw_file_perms; + +manage_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t) +manage_lnk_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t) +manage_fifo_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t) +manage_sock_files_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t) +fs_tmpfs_filetrans(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + +allow webbrowser_plugin_t webbrowser_plugin_rw_t:dir list_dir_perms; +allow webbrowser_plugin_t webbrowser_plugin_rw_t:file read_file_perms; +allow webbrowser_plugin_t webbrowser_plugin_rw_t:lnk_file read_lnk_file_perms; + +dgram_send_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t, webbrowser_t) +stream_connect_pattern(webbrowser_plugin_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t, webbrowser_t) + +can_exec(webbrowser_plugin_t, { webbrowser_exec_t webbrowser_plugin_home_t webbrowser_plugin_tmp_t }) + +kernel_read_all_sysctls(webbrowser_plugin_t) +kernel_read_system_state(webbrowser_plugin_t) +kernel_read_network_state(webbrowser_plugin_t) +kernel_request_load_module(webbrowser_plugin_t) +kernel_dontaudit_getattr_core_if(webbrowser_plugin_t) + +corecmd_exec_bin(webbrowser_plugin_t) +corecmd_exec_shell(webbrowser_plugin_t) + +corenet_all_recvfrom_netlabel(webbrowser_plugin_t) +corenet_all_recvfrom_unlabeled(webbrowser_plugin_t) +corenet_tcp_sendrecv_generic_if(webbrowser_plugin_t) +corenet_tcp_sendrecv_generic_node(webbrowser_plugin_t) + +corenet_sendrecv_asterisk_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_asterisk_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_asterisk_port(webbrowser_plugin_t) + +corenet_sendrecv_ftp_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_ftp_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_ftp_port(webbrowser_plugin_t) + +corenet_sendrecv_gatekeeper_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_gatekeeper_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_gatekeeper_port(webbrowser_plugin_t) + +corenet_sendrecv_http_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_http_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_http_port(webbrowser_plugin_t) + +corenet_sendrecv_http_cache_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_http_cache_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_http_cache_port(webbrowser_plugin_t) + +corenet_sendrecv_ipp_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_ipp_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_ipp_port(webbrowser_plugin_t) + +corenet_sendrecv_ircd_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_ircd_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_ircd_port(webbrowser_plugin_t) + +corenet_sendrecv_jabber_client_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_jabber_client_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_jabber_client_port(webbrowser_plugin_t) + +corenet_sendrecv_mmcc_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_mmcc_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_mmcc_port(webbrowser_plugin_t) + +corenet_sendrecv_monopd_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_monopd_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_monopd_port(webbrowser_plugin_t) + +corenet_sendrecv_soundd_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_soundd_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_soundd_port(webbrowser_plugin_t) + +corenet_sendrecv_speech_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_speech_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_speech_port(webbrowser_plugin_t) + +corenet_sendrecv_squid_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_squid_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_squid_port(webbrowser_plugin_t) + +corenet_sendrecv_vnc_client_packets(webbrowser_plugin_t) +corenet_tcp_connect_vnc_port(webbrowser_plugin_t) +corenet_tcp_sendrecv_vnc_port(webbrowser_plugin_t) + +dev_read_generic_usb_dev(webbrowser_plugin_t) +dev_read_rand(webbrowser_plugin_t) +dev_read_realtime_clock(webbrowser_plugin_t) +dev_read_sound(webbrowser_plugin_t) +dev_read_sysfs(webbrowser_plugin_t) +dev_read_urand(webbrowser_plugin_t) +dev_read_video_dev(webbrowser_plugin_t) +dev_write_sound(webbrowser_plugin_t) +dev_write_video_dev(webbrowser_plugin_t) +dev_rw_dri(webbrowser_plugin_t) +dev_rw_xserver_misc(webbrowser_plugin_t) + +dev_dontaudit_getattr_generic_files(webbrowser_plugin_t) +dev_dontaudit_getattr_generic_pipes(webbrowser_plugin_t) +dev_dontaudit_getattr_all_blk_files(webbrowser_plugin_t) +dev_dontaudit_getattr_all_chr_files(webbrowser_plugin_t) + +domain_use_interactive_fds(webbrowser_plugin_t) +domain_dontaudit_read_all_domains_state(webbrowser_plugin_t) + +files_exec_usr_files(webbrowser_plugin_t) +files_list_mnt(webbrowser_plugin_t) +files_read_config_files(webbrowser_plugin_t) +files_read_usr_files(webbrowser_plugin_t) +files_map_usr_files(webbrowser_plugin_t) + +fs_getattr_all_fs(webbrowser_plugin_t) +# fs_read_hugetlbfs_files(webbrowser_plugin_t) +fs_search_auto_mountpoints(webbrowser_plugin_t) + +term_getattr_all_ttys(webbrowser_plugin_t) +term_getattr_all_ptys(webbrowser_plugin_t) + +application_exec(webbrowser_plugin_t) + +auth_use_nsswitch(webbrowser_plugin_t) + +libs_exec_ld_so(webbrowser_plugin_t) +libs_exec_lib_files(webbrowser_plugin_t) + +logging_send_syslog_msg(webbrowser_plugin_t) + +miscfiles_read_localization(webbrowser_plugin_t) +miscfiles_read_fonts(webbrowser_plugin_t) +miscfiles_read_generic_certs(webbrowser_plugin_t) +miscfiles_dontaudit_setattr_fonts_dirs(webbrowser_plugin_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(webbrowser_plugin_t) + +userdom_manage_user_tmp_dirs(webbrowser_plugin_t) +userdom_manage_user_tmp_files(webbrowser_plugin_t) +userdom_map_user_tmp_files(webbrowser_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) +userdom_user_home_dir_filetrans_user_home_content(webbrowser_plugin_t, { dir file }) -userdom_write_user_tmp_sockets(mozilla_plugin_t) +userdom_write_user_tmp_sockets(webbrowser_plugin_t) -userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +userdom_dontaudit_use_user_terminals(webbrowser_plugin_t) -xdg_read_config_files(mozilla_plugin_t) +xdg_read_config_files(webbrowser_plugin_t) ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) + fs_list_dos(webbrowser_plugin_t) + fs_read_dos_files(webbrowser_plugin_t) - fs_search_removable(mozilla_plugin_t) - fs_read_removable_files(mozilla_plugin_t) - fs_read_removable_symlinks(mozilla_plugin_t) + fs_search_removable(webbrowser_plugin_t) + fs_read_removable_files(webbrowser_plugin_t) + fs_read_removable_symlinks(webbrowser_plugin_t) - fs_read_iso9660_files(mozilla_plugin_t) + fs_read_iso9660_files(webbrowser_plugin_t) ') tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; + allow webbrowser_plugin_t self:process execmem; ') -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; +tunable_policy(`webbrowser_execstack',` + allow webbrowser_plugin_t self:process { execmem execstack }; ') tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) + fs_manage_nfs_dirs(webbrowser_plugin_t) + fs_manage_nfs_files(webbrowser_plugin_t) + fs_manage_nfs_symlinks(webbrowser_plugin_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) + fs_manage_cifs_dirs(webbrowser_plugin_t) + fs_manage_cifs_files(webbrowser_plugin_t) + fs_manage_cifs_symlinks(webbrowser_plugin_t) ') optional_policy(` - alsa_read_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) + alsa_read_config(webbrowser_plugin_t) + alsa_read_home_files(webbrowser_plugin_t) ') optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) + automount_dontaudit_getattr_tmp_dirs(webbrowser_plugin_t) ') optional_policy(` - dbus_all_session_bus_client(mozilla_plugin_t) - dbus_connect_all_session_bus(mozilla_plugin_t) - dbus_system_bus_client(mozilla_plugin_t) + dbus_all_session_bus_client(webbrowser_plugin_t) + dbus_connect_all_session_bus(webbrowser_plugin_t) + dbus_system_bus_client(webbrowser_plugin_t) ') optional_policy(` - gnome_manage_generic_home_content(mozilla_plugin_t) - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") + gnome_manage_generic_home_content(webbrowser_plugin_t) + gnome_home_filetrans_gnome_home(webbrowser_plugin_t, dir, ".gnome") + gnome_home_filetrans_gnome_home(webbrowser_plugin_t, dir, ".gnome2") + gnome_home_filetrans_gnome_home(webbrowser_plugin_t, dir, ".gnome2_private") ') optional_policy(` - java_exec(mozilla_plugin_t) - java_manage_generic_home_content(mozilla_plugin_t) - java_manage_java_tmp(mozilla_plugin_t) - java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") + java_exec(webbrowser_plugin_t) + java_manage_generic_home_content(webbrowser_plugin_t) + java_manage_java_tmp(webbrowser_plugin_t) + java_home_filetrans_java_home(webbrowser_plugin_t, dir, ".java") ') optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) + lpd_run_lpr(webbrowser_plugin_t, webbrowser_plugin_roles) ') optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") + mplayer_exec(webbrowser_plugin_t) + mplayer_manage_generic_home_content(webbrowser_plugin_t) + mplayer_home_filetrans_mplayer_home(webbrowser_plugin_t, dir, ".mplayer") ') optional_policy(` - pcscd_stream_connect(mozilla_plugin_t) + pcscd_stream_connect(webbrowser_plugin_t) ') optional_policy(` - pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) + pulseaudio_run(webbrowser_plugin_t, webbrowser_plugin_roles) ') optional_policy(` - udev_read_db(mozilla_plugin_t) + udev_read_db(webbrowser_plugin_t) ') optional_policy(` - xserver_read_user_xauth(mozilla_plugin_t) - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) + xserver_read_user_xauth(webbrowser_plugin_t) + xserver_read_xdm_pid(webbrowser_plugin_t) + xserver_stream_connect(webbrowser_plugin_t) + xserver_use_user_fonts(webbrowser_plugin_t) + xserver_dontaudit_read_xdm_tmp_files(webbrowser_plugin_t) ') ######################################## @@ -626,96 +637,96 @@ optional_policy(` # Plugin config local policy # -allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; +allow webbrowser_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; +allow webbrowser_plugin_config_t self:process { setsched signal_perms getsched }; +allow webbrowser_plugin_config_t self:fifo_file rw_fifo_file_perms; +allow webbrowser_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; +allow webbrowser_plugin_config_t webbrowser_plugin_rw_t:dir manage_dir_perms; +allow webbrowser_plugin_config_t webbrowser_plugin_rw_t:file manage_file_perms; +allow webbrowser_plugin_config_t webbrowser_plugin_rw_t:lnk_file manage_lnk_file_perms; -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +manage_dirs_pattern(webbrowser_plugin_config_t, { webbrowser_home_t webbrowser_plugin_home_t }, { webbrowser_home_t webbrowser_plugin_home_t }) +manage_files_pattern(webbrowser_plugin_config_t, { webbrowser_home_t webbrowser_plugin_home_t }, webbrowser_plugin_home_t) +manage_lnk_files_pattern(webbrowser_plugin_config_t, { webbrowser_home_t webbrowser_plugin_home_t }, webbrowser_plugin_home_t) -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_home_t, dir, ".phoenix") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".adobe") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".macromedia") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".gnash") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".gcjwebplugin") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".icedteaplugin") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".spicec") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, ".ICAClient") +userdom_user_home_dir_filetrans(webbrowser_plugin_config_t, webbrowser_plugin_home_t, dir, "zimbrauserdata") -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +filetrans_pattern(webbrowser_plugin_config_t, webbrowser_home_t, webbrowser_plugin_home_t, dir, "plugins") -can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +can_exec(webbrowser_plugin_config_t, { webbrowser_plugin_rw_t webbrowser_plugin_home_t }) -ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +ps_process_pattern(webbrowser_plugin_config_t, webbrowser_plugin_t) -kernel_read_system_state(mozilla_plugin_config_t) -kernel_request_load_module(mozilla_plugin_config_t) +kernel_read_system_state(webbrowser_plugin_config_t) +kernel_request_load_module(webbrowser_plugin_config_t) -corecmd_exec_bin(mozilla_plugin_config_t) -corecmd_exec_shell(mozilla_plugin_config_t) +corecmd_exec_bin(webbrowser_plugin_config_t) +corecmd_exec_shell(webbrowser_plugin_config_t) -dev_read_urand(mozilla_plugin_config_t) -dev_rw_dri(mozilla_plugin_config_t) -dev_search_sysfs(mozilla_plugin_config_t) -dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_read_urand(webbrowser_plugin_config_t) +dev_rw_dri(webbrowser_plugin_config_t) +dev_search_sysfs(webbrowser_plugin_config_t) +dev_dontaudit_read_rand(webbrowser_plugin_config_t) -domain_use_interactive_fds(mozilla_plugin_config_t) +domain_use_interactive_fds(webbrowser_plugin_config_t) -files_list_tmp(mozilla_plugin_config_t) -files_read_usr_files(mozilla_plugin_config_t) -files_dontaudit_search_home(mozilla_plugin_config_t) +files_list_tmp(webbrowser_plugin_config_t) +files_read_usr_files(webbrowser_plugin_config_t) +files_dontaudit_search_home(webbrowser_plugin_config_t) -fs_getattr_all_fs(mozilla_plugin_config_t) -fs_search_auto_mountpoints(mozilla_plugin_config_t) -fs_list_inotifyfs(mozilla_plugin_config_t) +fs_getattr_all_fs(webbrowser_plugin_config_t) +fs_search_auto_mountpoints(webbrowser_plugin_config_t) +fs_list_inotifyfs(webbrowser_plugin_config_t) -auth_use_nsswitch(mozilla_plugin_config_t) +auth_use_nsswitch(webbrowser_plugin_config_t) -miscfiles_read_localization(mozilla_plugin_config_t) -miscfiles_read_fonts(mozilla_plugin_config_t) +miscfiles_read_localization(webbrowser_plugin_config_t) +miscfiles_read_fonts(webbrowser_plugin_config_t) -userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) -userdom_read_user_home_content_files(mozilla_plugin_config_t) +userdom_read_user_home_content_symlinks(webbrowser_plugin_config_t) +userdom_read_user_home_content_files(webbrowser_plugin_config_t) -userdom_use_user_ptys(mozilla_plugin_config_t) +userdom_use_user_ptys(webbrowser_plugin_config_t) -mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +webbrowser_run_plugin(webbrowser_plugin_config_t, webbrowser_plugin_config_roles) tunable_policy(`allow_execmem',` - allow mozilla_plugin_config_t self:process execmem; + allow webbrowser_plugin_config_t self:process execmem; ') -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_config_t self:process { execmem execstack }; +tunable_policy(`webbrowser_execstack',` + allow webbrowser_plugin_config_t self:process { execmem execstack }; ') tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_config_t) - fs_manage_nfs_files(mozilla_plugin_config_t) - fs_manage_nfs_symlinks(mozilla_plugin_config_t) + fs_manage_nfs_dirs(webbrowser_plugin_config_t) + fs_manage_nfs_files(webbrowser_plugin_config_t) + fs_manage_nfs_symlinks(webbrowser_plugin_config_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_config_t) - fs_manage_cifs_files(mozilla_plugin_config_t) - fs_manage_cifs_symlinks(mozilla_plugin_config_t) + fs_manage_cifs_dirs(webbrowser_plugin_config_t) + fs_manage_cifs_files(webbrowser_plugin_config_t) + fs_manage_cifs_symlinks(webbrowser_plugin_config_t) ') optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) + automount_dontaudit_getattr_tmp_dirs(webbrowser_plugin_config_t) ') optional_policy(` - xserver_use_user_fonts(mozilla_plugin_config_t) + xserver_use_user_fonts(webbrowser_plugin_config_t) ') Index: refpolicy-2.20180701/policy/modules/apps/mozilla.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.fc +++ refpolicy-2.20180701/policy/modules/apps/mozilla.fc @@ -1,42 +1,42 @@ -HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0) -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:webbrowser_xdg_cache_t,s0) +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:webbrowser_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:webbrowser_home_t,s0) +HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:webbrowser_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:webbrowser_home_t,s0) +HOME_DIR/\.vimperator.* gen_context(system_u:object_r:webbrowser_home_t,s0) -HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:webbrowser_plugin_home_t,s0) -/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/bin/epiphany -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/epiphany-bin -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/mozilla -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/netscape -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/bin/nspluginscan -- gen_context(system_u:object_r:webbrowser_plugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:webbrowser_plugin_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/firefox[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) -/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) -/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/firefox[^/]*/firefox-.* -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/galeon/galeon -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:webbrowser_plugin_exec_t,s0) +/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:webbrowser_plugin_rw_t,s0) +/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:webbrowser_exec_t,s0) +/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:webbrowser_plugin_exec_t,s0) +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:webbrowser_plugin_config_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:webbrowser_plugin_exec_t,s0) Index: refpolicy-2.20180701/policy/modules/apps/mozilla.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.if +++ refpolicy-2.20180701/policy/modules/apps/mozilla.if @@ -2,7 +2,7 @@ ######################################## ## -## Role access for mozilla. +## Role access for graphical web browser. ## ## ## @@ -15,12 +15,12 @@ ## ## # -interface(`mozilla_role',` +interface(`webbrowser_role',` gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; - type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; + type webbrowser_t, webbrowser_exec_t, webbrowser_home_t; + type webbrowser_tmp_t, webbrowser_tmpfs_t, webbrowser_plugin_tmp_t; + type webbrowser_plugin_tmpfs_t, webbrowser_plugin_home_t; + attribute_role webbrowser_roles; ') ######################################## @@ -28,53 +28,53 @@ interface(`mozilla_role',` # Declarations # - roleattribute $1 mozilla_roles; + roleattribute $1 webbrowser_roles; ######################################## # # Policy # - domtrans_pattern($2, mozilla_exec_t, mozilla_t) + domtrans_pattern($2, webbrowser_exec_t, webbrowser_t) - allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; - ps_process_pattern($2, mozilla_t) + allow $2 webbrowser_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + ps_process_pattern($2, webbrowser_t) - allow mozilla_t $2:process signull; - allow mozilla_t $2:unix_stream_socket connectto; + allow webbrowser_t $2:process signull; + allow webbrowser_t $2:unix_stream_socket connectto; - allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm rw_shm_perms; + allow $2 webbrowser_t:fd use; + allow $2 webbrowser_t:shm rw_shm_perms; - stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) + stream_connect_pattern($2, webbrowser_tmpfs_t, webbrowser_tmpfs_t, webbrowser_t) - allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + allow $2 { webbrowser_home_t webbrowser_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { webbrowser_home_t webbrowser_plugin_home_t }:file { manage_file_perms relabel_file_perms }; + allow $2 webbrowser_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".mozilla") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".netscape") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".phoenix") - filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + filetrans_pattern($2, webbrowser_home_t, webbrowser_plugin_home_t, dir, "plugins") - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 { webbrowser_tmp_t webbrowser_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { webbrowser_tmp_t webbrowser_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 webbrowser_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + allow $2 { webbrowser_tmpfs_t webbrowser_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { webbrowser_tmpfs_t webbrowser_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { webbrowser_tmpfs_t webbrowser_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 { webbrowser_tmpfs_t webbrowser_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; optional_policy(` - mozilla_dbus_chat($2) + webbrowser_dbus_chat($2) ') ') ######################################## ## -## Role access for mozilla plugin. +## Role access for web browser plugin. ## ## ## @@ -87,60 +87,60 @@ interface(`mozilla_role',` ## ## # -interface(`mozilla_role_plugin',` +interface(`webbrowser_role_plugin',` gen_require(` - type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; - type mozilla_home_t; + type webbrowser_plugin_tmp_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_rw_t; + type webbrowser_home_t; ') - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) + webbrowser_run_plugin($2, $1) + webbrowser_run_plugin_config($2, $1) - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) + allow $2 { webbrowser_plugin_t webbrowser_plugin_config_t }:process { ptrace signal_perms }; + ps_process_pattern($2, { webbrowser_plugin_t webbrowser_plugin_config_t }) - allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; - allow $2 mozilla_plugin_t:fd use; + allow $2 webbrowser_plugin_t:unix_stream_socket rw_socket_perms; + allow $2 webbrowser_plugin_t:fd use; - stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) + stream_connect_pattern($2, webbrowser_plugin_tmpfs_t, webbrowser_plugin_tmpfs_t, webbrowser_plugin_t) - allow mozilla_plugin_t $2:process signull; - allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; - allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; - allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; - allow mozilla_plugin_t $2:sem create_sem_perms; + allow webbrowser_plugin_t $2:process signull; + allow webbrowser_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; + allow webbrowser_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; + allow webbrowser_plugin_t $2:shm { rw_shm_perms destroy }; + allow webbrowser_plugin_t $2:sem create_sem_perms; - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + allow $2 webbrowser_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 webbrowser_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 webbrowser_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".mozilla") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".netscape") + userdom_user_home_dir_filetrans($2, webbrowser_home_t, dir, ".phoenix") - allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 webbrowser_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 webbrowser_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; + allow $2 webbrowser_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + allow $2 webbrowser_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 webbrowser_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; + allow $2 webbrowser_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 webbrowser_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; + allow $2 webbrowser_plugin_rw_t:dir list_dir_perms; + allow $2 webbrowser_plugin_rw_t:file read_file_perms; + allow $2 webbrowser_plugin_rw_t:lnk_file read_lnk_file_perms; - can_exec($2, mozilla_plugin_rw_t) + can_exec($2, webbrowser_plugin_rw_t) optional_policy(` - mozilla_dbus_chat_plugin($2) + webbrowser_dbus_chat_plugin($2) ') ') ######################################## ## -## Read mozilla home directory content. +## Read web browser home directory content. ## ## ## @@ -148,20 +148,20 @@ interface(`mozilla_role_plugin',` ## ## # -interface(`mozilla_read_user_home_files',` +interface(`webbrowser_read_user_home_files',` gen_require(` - type mozilla_home_t; + type webbrowser_home_t; ') userdom_search_user_home_dirs($1) - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; + allow $1 webbrowser_home_t:dir list_dir_perms; + allow $1 webbrowser_home_t:file read_file_perms; + allow $1 webbrowser_home_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Write mozilla home directory files. +## Write web browser home directory files. ## ## ## @@ -169,19 +169,19 @@ interface(`mozilla_read_user_home_files' ## ## # -interface(`mozilla_write_user_home_files',` +interface(`webbrowser_write_user_home_files',` gen_require(` - type mozilla_home_t; + type webbrowser_home_t; ') userdom_search_user_home_dirs($1) - write_files_pattern($1, mozilla_home_t, mozilla_home_t) + write_files_pattern($1, webbrowser_home_t, webbrowser_home_t) ') ######################################## ## ## Do not audit attempts to read and -## write mozilla home directory files. +## write web browser home directory files. ## ## ## @@ -189,18 +189,18 @@ interface(`mozilla_write_user_home_files ## ## # -interface(`mozilla_dontaudit_rw_user_home_files',` +interface(`webbrowser_dontaudit_rw_user_home_files',` gen_require(` - type mozilla_home_t; + type webbrowser_home_t; ') - dontaudit $1 mozilla_home_t:file rw_file_perms; + dontaudit $1 webbrowser_home_t:file rw_file_perms; ') ######################################## ## ## Do not audit attempt to Create, -## read, write, and delete mozilla +## read, write, and delete web browser ## home directory content. ## ## @@ -209,19 +209,19 @@ interface(`mozilla_dontaudit_rw_user_hom ## ## # -interface(`mozilla_dontaudit_manage_user_home_files',` +interface(`webbrowser_dontaudit_manage_user_home_files',` gen_require(` - type mozilla_home_t; + type webbrowser_home_t; ') - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; - dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; + dontaudit $1 webbrowser_home_t:dir manage_dir_perms; + dontaudit $1 webbrowser_home_t:file manage_file_perms; + dontaudit $1 webbrowser_home_t:lnk_file manage_lnk_file_perms; ') ######################################## ## -## Execute mozilla plugin home directory files. +## Execute web browser plugin home directory files. ## ## ## @@ -229,13 +229,13 @@ interface(`mozilla_dontaudit_manage_user ## ## # -interface(`mozilla_exec_user_plugin_home_files',` +interface(`webbrowser_exec_user_plugin_home_files',` gen_require(` - type mozilla_home_t, mozilla_plugin_home_t; + type webbrowser_home_t, webbrowser_plugin_home_t; ') userdom_search_user_home_dirs($1) - exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) + exec_files_pattern($1, { webbrowser_home_t webbrowser_plugin_home_t }, webbrowser_plugin_home_t) ') ######################################## @@ -249,17 +249,17 @@ interface(`mozilla_exec_user_plugin_home ## ## # -interface(`mozilla_execmod_user_plugin_home_files',` +interface(`webbrowser_execmod_user_plugin_home_files',` gen_require(` - type mozilla_plugin_home_t; + type webbrowser_plugin_home_t; ') - allow $1 mozilla_plugin_home_t:file execmod; + allow $1 webbrowser_plugin_home_t:file execmod; ') ####################################### ## -## Read temporary mozilla files. +## Read temporary web browser files. ## ## ## @@ -267,17 +267,17 @@ interface(`mozilla_execmod_user_plugin_h ## ## # -interface(`mozilla_read_tmp_files',` +interface(`webbrowser_read_tmp_files',` gen_require(` - type mozilla_tmp_t; + type webbrowser_tmp_t; ') - read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) + read_files_pattern($1, webbrowser_tmp_t, webbrowser_tmp_t) ') ######################################## ## -## Run mozilla in the mozilla domain. +## Run web browser in the web browser domain. ## ## ## @@ -285,19 +285,19 @@ interface(`mozilla_read_tmp_files',` ## ## # -interface(`mozilla_domtrans',` +interface(`webbrowser_domtrans',` gen_require(` - type mozilla_t, mozilla_exec_t; + type webbrowser_t, webbrowser_exec_t; ') corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) + domtrans_pattern($1, webbrowser_exec_t, webbrowser_t) ') ######################################## ## ## Execute a domain transition to -## run mozilla plugin. +## run web browser plugin. ## ## ## @@ -305,20 +305,20 @@ interface(`mozilla_domtrans',` ## ## # -interface(`mozilla_domtrans_plugin',` +interface(`webbrowser_domtrans_plugin',` gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; + type webbrowser_plugin_t, webbrowser_plugin_exec_t; ') corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + domtrans_pattern($1, webbrowser_plugin_exec_t, webbrowser_plugin_t) ') ######################################## ## -## Execute mozilla plugin in the -## mozilla plugin domain, and allow -## the specified role the mozilla +## Execute web browser plugin in the +## web browser plugin domain, and allow +## the specified role the web browser ## plugin domain. ## ## @@ -332,19 +332,19 @@ interface(`mozilla_domtrans_plugin',` ## ## # -interface(`mozilla_run_plugin',` +interface(`webbrowser_run_plugin',` gen_require(` - attribute_role mozilla_plugin_roles; + attribute_role webbrowser_plugin_roles; ') - mozilla_domtrans_plugin($1) - roleattribute $2 mozilla_plugin_roles; + webbrowser_domtrans_plugin($1) + roleattribute $2 webbrowser_plugin_roles; ') ######################################## ## ## Execute a domain transition to -## run mozilla plugin config. +## run web browser plugin config. ## ## ## @@ -352,21 +352,21 @@ interface(`mozilla_run_plugin',` ## ## # -interface(`mozilla_domtrans_plugin_config',` +interface(`webbrowser_domtrans_plugin_config',` gen_require(` - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + type webbrowser_plugin_config_t, webbrowser_plugin_config_exec_t; ') corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + domtrans_pattern($1, webbrowser_plugin_config_exec_t, webbrowser_plugin_config_t) ') ######################################## ## -## Execute mozilla plugin config in -## the mozilla plugin config domain, +## Execute web browser plugin config in +## the web browser plugin config domain, ## and allow the specified role the -## mozilla plugin config domain. +## web browser plugin config domain. ## ## ## @@ -379,19 +379,19 @@ interface(`mozilla_domtrans_plugin_confi ## ## # -interface(`mozilla_run_plugin_config',` +interface(`webbrowser_run_plugin_config',` gen_require(` - attribute_role mozilla_plugin_config_roles; + attribute_role webbrowser_plugin_config_roles; ') - mozilla_domtrans_plugin_config($1) - roleattribute $2 mozilla_plugin_config_roles; + webbrowser_domtrans_plugin_config($1) + roleattribute $2 webbrowser_plugin_config_roles; ') ######################################## ## ## Send and receive messages from -## mozilla over dbus. +## web browser over dbus. ## ## ## @@ -399,20 +399,20 @@ interface(`mozilla_run_plugin_config',` ## ## # -interface(`mozilla_dbus_chat',` +interface(`webbrowser_dbus_chat',` gen_require(` - type mozilla_t; + type webbrowser_t; class dbus send_msg; ') - allow $1 mozilla_t:dbus send_msg; - allow mozilla_t $1:dbus send_msg; + allow $1 webbrowser_t:dbus send_msg; + allow webbrowser_t $1:dbus send_msg; ') ######################################## ## ## Send and receive messages from -## mozilla plugin over dbus. +## web browser plugin over dbus. ## ## ## @@ -420,19 +420,19 @@ interface(`mozilla_dbus_chat',` ## ## # -interface(`mozilla_dbus_chat_plugin',` +interface(`webbrowser_dbus_chat_plugin',` gen_require(` - type mozilla_plugin_t; + type webbrowser_plugin_t; class dbus send_msg; ') - allow $1 mozilla_plugin_t:dbus send_msg; - allow mozilla_plugin_t $1:dbus send_msg; + allow $1 webbrowser_plugin_t:dbus send_msg; + allow webbrowser_plugin_t $1:dbus send_msg; ') ######################################## ## -## Read and write mozilla TCP sockets. +## Read and write web browser TCP sockets. ## ## ## @@ -440,18 +440,18 @@ interface(`mozilla_dbus_chat_plugin',` ## ## # -interface(`mozilla_rw_tcp_sockets',` +interface(`webbrowser_rw_tcp_sockets',` gen_require(` - type mozilla_t; + type webbrowser_t; ') - allow $1 mozilla_t:tcp_socket rw_socket_perms; + allow $1 webbrowser_t:tcp_socket rw_socket_perms; ') ######################################## ## ## Create, read, write, and delete -## mozilla plugin rw files. +## web browser plugin rw files. ## ## ## @@ -459,18 +459,18 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # -interface(`mozilla_manage_plugin_rw_files',` +interface(`webbrowser_manage_plugin_rw_files',` gen_require(` - type mozilla_plugin_rw_t; + type webbrowser_plugin_rw_t; ') libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + manage_files_pattern($1, webbrowser_plugin_rw_t, webbrowser_plugin_rw_t) ') ######################################## ## -## Read mozilla_plugin tmpfs files. +## Read webbrowser_plugin tmpfs files. ## ## ## @@ -478,18 +478,18 @@ interface(`mozilla_manage_plugin_rw_file ## ## # -interface(`mozilla_plugin_read_tmpfs_files',` +interface(`webbrowser_plugin_read_tmpfs_files',` gen_require(` - type mozilla_plugin_tmpfs_t; + type webbrowser_plugin_tmpfs_t; ') fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; + allow $1 webbrowser_plugin_tmpfs_t:file read_file_perms; ') ######################################## ## -## Delete mozilla_plugin tmpfs files. +## Delete webbrowser_plugin tmpfs files. ## ## ## @@ -497,19 +497,19 @@ interface(`mozilla_plugin_read_tmpfs_fil ## ## # -interface(`mozilla_plugin_delete_tmpfs_files',` +interface(`webbrowser_plugin_delete_tmpfs_files',` gen_require(` - type mozilla_plugin_tmpfs_t; + type webbrowser_plugin_tmpfs_t; ') fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; + allow $1 webbrowser_plugin_tmpfs_t:file delete_file_perms; ') ######################################## ## ## Create, read, write, and delete -## generic mozilla plugin home content. +## generic web browser plugin home content. ## ## ## @@ -517,23 +517,23 @@ interface(`mozilla_plugin_delete_tmpfs_f ## ## # -interface(`mozilla_manage_generic_plugin_home_content',` +interface(`webbrowser_manage_generic_plugin_home_content',` gen_require(` - type mozilla_plugin_home_t; + type webbrowser_plugin_home_t; ') userdom_search_user_home_dirs($1) - allow $1 mozilla_plugin_home_t:dir manage_dir_perms; - allow $1 mozilla_plugin_home_t:file manage_file_perms; - allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; - allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; - allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; + allow $1 webbrowser_plugin_home_t:dir manage_dir_perms; + allow $1 webbrowser_plugin_home_t:file manage_file_perms; + allow $1 webbrowser_plugin_home_t:fifo_file manage_fifo_file_perms; + allow $1 webbrowser_plugin_home_t:lnk_file manage_lnk_file_perms; + allow $1 webbrowser_plugin_home_t:sock_file manage_sock_file_perms; ') ######################################## ## ## Create objects in user home -## directories with the generic mozilla +## directories with the generic web browser ## plugin home type. ## ## @@ -552,10 +552,10 @@ interface(`mozilla_manage_generic_plugin ## ## # -interface(`mozilla_home_filetrans_plugin_home',` +interface(`webbrowser_home_filetrans_plugin_home',` gen_require(` - type mozilla_plugin_home_t; + type webbrowser_plugin_home_t; ') - userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) + userdom_user_home_dir_filetrans($1, webbrowser_plugin_home_t, $2, $3) ') Index: refpolicy-2.20180701/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te +++ refpolicy-2.20180701/policy/modules/roles/staff.te @@ -142,7 +142,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - mozilla_role(staff_r, staff_t) + webbrowser_role(staff_r, staff_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20180701/policy/modules/roles/sysadm.te @@ -652,7 +652,7 @@ optional_policy(` ') optional_policy(` - mozilla_role(sysadm_r, sysadm_t) + webbrowser_role(sysadm_r, sysadm_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te @@ -114,7 +114,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - mozilla_role(user_r, user_t) + webbrowser_role(user_r, user_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/xguest.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/xguest.te +++ refpolicy-2.20180701/policy/modules/roles/xguest.te @@ -103,7 +103,7 @@ optional_policy(` ') optional_policy(` - mozilla_role(xguest_r, xguest_t) + webbrowser_role(xguest_r, xguest_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/admin/prelink.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/prelink.te +++ refpolicy-2.20180701/policy/modules/admin/prelink.te @@ -141,7 +141,7 @@ optional_policy(` ') optional_policy(` - mozilla_manage_plugin_rw_files(prelink_t) + webbrowser_manage_plugin_rw_files(prelink_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/apps/evolution.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/evolution.te +++ refpolicy-2.20180701/policy/modules/apps/evolution.te @@ -291,8 +291,8 @@ optional_policy(` ') optional_policy(` - mozilla_read_user_home_files(evolution_t) - mozilla_domtrans(evolution_t) + webbrowser_read_user_home_files(evolution_t) + webbrowser_domtrans(evolution_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/apps/gpg.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te +++ refpolicy-2.20180701/policy/modules/apps/gpg.te @@ -171,7 +171,7 @@ optional_policy(` ') optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_t) + webbrowser_dontaudit_rw_user_home_files(gpg_t) ') optional_policy(` @@ -306,7 +306,7 @@ optional_policy(` ') optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) + webbrowser_dontaudit_rw_user_home_files(gpg_agent_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/apps/openoffice.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/openoffice.te +++ refpolicy-2.20180701/policy/modules/apps/openoffice.te @@ -140,8 +140,8 @@ optional_policy(` ') optional_policy(` - mozilla_domtrans(ooffice_t) - mozilla_read_tmp_files(ooffice_t) + webbrowser_domtrans(ooffice_t) + webbrowser_read_tmp_files(ooffice_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/apps/seunshare.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/seunshare.te +++ refpolicy-2.20180701/policy/modules/apps/seunshare.te @@ -39,6 +39,6 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_rw_anon_inodefs_files(seunshare_t) optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) + webbrowser_dontaudit_manage_user_home_files(seunshare_t) ') ') Index: refpolicy-2.20180701/policy/modules/apps/thunderbird.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/thunderbird.te +++ refpolicy-2.20180701/policy/modules/apps/thunderbird.te @@ -151,7 +151,7 @@ optional_policy(` ') optional_policy(` - mozilla_dbus_chat(thunderbird_t) + webbrowser_dbus_chat(thunderbird_t) ') ') @@ -175,8 +175,8 @@ optional_policy(` ') optional_policy(` - mozilla_read_user_home_files(thunderbird_t) - mozilla_domtrans(thunderbird_t) + webbrowser_read_user_home_files(thunderbird_t) + webbrowser_domtrans(thunderbird_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/apps/wm.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/wm.te +++ refpolicy-2.20180701/policy/modules/apps/wm.te @@ -126,7 +126,7 @@ optional_policy(` ') optional_policy(` - mozilla_dbus_chat(wm_domain) + webbrowser_dbus_chat(wm_domain) ') optional_policy(`