Daniel J Walsh:
In this case we have to allow mozilla-plugin to create any file in
the homedir if it does not exist and label it mozilla_home_t.
Ouch! I had hoped something like the regular expressions of "semanage
fcontext" could have done it simpler.
Hm. I wonder if there might be a better way. In the case of BankID
the plugin starts a separate binary that does some of the work. I
believe, in particular, it's that binary that creates the problematic
file.
Maybe I could write a policy module that puts this binary in a
specific domain when started from mozilla_plugin_t. I would have to
let that domain create files in the home directory, but I wouldn't
have to let ALL plugins do it. It would be a bit better.
I'll give it a try. It will be a much more advanced module than I've
done before.