Daniel J Walsh:
> In this case we have to allow mozilla-plugin to create any file in
> the homedir if it does not exist and label it mozilla_home_t.

Ouch!  I had hoped something like the regular expressions of "semanage
fcontext" could have done it simpler.

Hm.  I wonder if there might be a better way.  In the case of BankID
the plugin starts a separate binary that does some of the work.  I
believe, in particular, it's that binary that creates the problematic
file.

Maybe I could write a policy module that puts this binary in a
specific domain when started from mozilla_plugin_t.  I would have to
let that domain create files in the home directory, but I wouldn't
have to let ALL plugins do it.  It would be a bit better.

I'll give it a try.  It will be a much more advanced module than I've
done before.