9 files changed, 22 insertions, 12 deletions

diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 01f60b559..d757d6f49 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -13,7 +13,8 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
 
-# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,abrowser,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+# private-etc must first be enabled in firefox-common.profile
+#private-etc abrowser
 
 
 # Redirect
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index b4e299337..4ff96311d 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -13,7 +13,8 @@ mkdir ${HOME}/.config/cliqz
 whitelist ${HOME}/.cache/cliqz
 whitelist ${HOME}/.config/cliqz
 
-# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,cliqz,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cliqz
 
 # Redirect
 include /etc/firejail/firefox-common.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index be9e62123..ce51906ba 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -14,7 +14,8 @@ whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
 
 # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cyberfox
 
 # Redirect
 include /etc/firejail/firefox-common.profile
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 33d522353..0c4271edc 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -36,6 +36,8 @@ tracelog
 
 disable-mnt
 private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 15ca094f1..0ab6a6141 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -14,9 +14,9 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
 # firefox requires a shell to launch on Arch.
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
-# private-etc below works fine on most distributions. There are some problems on CentOS.
-# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+# private-etc must first be enabled in firefox-common.profile
+#private-etc firefox
 
 # Redirect
 include /etc/firejail/firefox-common.profile
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 1470d4b12..42e762c21 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -13,7 +13,8 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
 
-# private-etc icecat,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+# private-etc must first be enabled in firefox-common.profile
+#private-etc icecat
 
 # Redirect
 include /etc/firejail/firefox-common.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index f6b57dde0..51f15aa1b 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# private-etc must first be enabled in firefox-common.profile
+#private-etc iceweasel
 
 # Redirect
 include /etc/firejail/firefox.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index e59f20e9d..ff7087e55 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -13,9 +13,10 @@ mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 
-# private-bin palemoon
-# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,palemoon,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
-# private-opt palemoon
+#private-bin palemoon
+# private-etc must first be enabled in firefox-common.profile
+#private-etc palemoon
+#private-opt palemoon
 
 # Redirect
 include /etc/firejail/firefox-common.profile
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 521295dfa..fdd299bbf 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -20,8 +20,9 @@ whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.waterfox
 
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
-# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
-# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
+# private-etc must first be enabled in firefox-common.profile
+#private-etc waterfox
 
 # Redirect
 include /etc/firejail/firefox-common.profile