Hi I want to write a policy for firefox, as to me, it is almost an always-on always-running network daemon. I think there will always be another vulnerability leading to remote code execution. But how can a policy protect against that? Using policygentool, I created a policy for firefox-bin. It created a domain. And I labeled the starter script /usr/bin/firefox as "initrc_exec_t" . The ".mozilla" dir became the log dir. I also created a dir labeled "download_t" so I can save files there. I think I should take away "read" for "user_home_t" too. So I guess the new domain will prevent transition into bin_t, sbin_t and others. But I notice the generated te allows exec of all "lib_t" libraries. That is an awful lot of libraries with lots of functions and probably a lot of bugs. Should I be worried? If I follow the doctrine of whitelisting everything and least privilege, I ought to label and specifically permit only the libraries that are needed, right? I am starting on identifying and labelling, but I have a feeling that it will become a maintenance nightmare. Maybe I don't fully understand "remote code execution". To me, it just means being able to conjure up a shell and running some hacker magic to gain root. Maybe the exploit doesn't even require a shell, and can wiggle its way through the vast lib_t for its own end. :( Apart from minimal library usage, what other correct behaviours should I restrict firefox to? Peter