diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index dfcb9e854..01427996c 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -4,18 +4,29 @@
##
## Role access for mozilla.
##
-##
+##
##
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
## User domain for the role.
##
##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access
+##
+##
#
-interface(`mozilla_role',`
+template(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
@@ -28,25 +39,25 @@ interface(`mozilla_role',`
# Declarations
#
- roleattribute $1 mozilla_roles;
+ roleattribute $4 mozilla_roles;
########################################
#
# Policy
#
- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+ domtrans_pattern($3, mozilla_exec_t, mozilla_t)
- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
- ps_process_pattern($2, mozilla_t)
+ allow $3 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ ps_process_pattern($3, mozilla_t)
- allow mozilla_t $2:process signull;
- allow mozilla_t $2:unix_stream_socket connectto;
+ allow mozilla_t $3:process signull;
+ allow mozilla_t $3:unix_stream_socket connectto;
- allow $2 mozilla_t:fd use;
- allow $2 mozilla_t:shm rw_shm_perms;
+ allow $3 mozilla_t:fd use;
+ allow $3 mozilla_t:shm rw_shm_perms;
- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
+ stream_connect_pattern($3, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
@@ -68,7 +79,11 @@ interface(`mozilla_role',`
allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
optional_policy(`
- mozilla_dbus_chat($2)
+ mozilla_dbus_chat($3)
+ ')
+
+ optional_policy(`
+ systemd_user_app_status($1, mozilla_t)
')
')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 9aab3b6f0..2580caa59 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -135,7 +135,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- mozilla_role(staff_r, staff_t)
+ mozilla_role(staff, staff_t, staff_application_exec_domain, staff_r)
')
optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 92aa377e1..c4e402c18 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -625,7 +625,7 @@ optional_policy(`
')
optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
+ mozilla_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6f417d5b5..bf859daef 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -103,7 +103,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- mozilla_role(user_r, user_t)
+ mozilla_role(user, user_t, user_application_exec_domain, user_r)
')
optional_policy(`
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 4daacc545..ae8e69f28 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -98,7 +98,7 @@ optional_policy(`
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ mozilla_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
')
optional_policy(`