Bug 1286177

Summary: RFE: Review and turn mozilla_plugin_can_network_connect boolean on
Product: [Fedora] Fedora Reporter: Miroslav Grepl <mgrepl>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-161.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 15:14:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Grepl 2015-11-27 12:19:35 UTC 
Description of problem:

Currently a lot of SELinux policy bugs are caused by random firefox plugins trying to connect to random ports. We have a boolean for these cases which is turned off by default. With this boolean we block some ports but some ports are already allowed by default.

mozilla_plugin_can_network_connect (off  ,  off)  Allow mozilla plugin domain to connect to the network using TCP.

This bug suggests turned this boolean on by default so this basic plugin functionality is not blocked by SELinux but it still keeps a plugin isolation.