Back onto the topic of sharing profiles Here's a profile I've made for Firefox. It allows downloading only to ~/Downloads/, and it allows uploading from ~/Music/, ~/Pictures/, or ~/Videos/. It also allows downloading to /tmp/, and PDF files may be opened from Firefox with Evince (the default PDF viewer in GNOME). The OpenJDK plugin is allowed as the Java plugin.

Code:
#include <tunables/global>
/usr/lib/firefox-3.0.5/firefox.sh {
    #include <abstractions/base>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>

##### BEGIN READ-ONLY PERMISSIONS #####
    owner @{HOME}/ r,
    owner @{HOME}/.esd_auth r,
    owner @{HOME}/.icons/ r,
    owner @{HOME}/.local/** r,
    owner @{HOME}/.mozilla/firefox/**.so rm,
    owner @{HOME}/.thumbnails/** r,
    owner @{HOME}/Music/ r,
    owner @{HOME}/Music/** r,
    owner @{HOME}/Pictures/ r,
    owner @{HOME}/Pictures/** r,
    owner @{HOME}/Videos/ r,
    owner @{HOME}/Videos/** r,

    @{PROC}/ r,
    owner @{PROC}/*/fd/ r,
    owner @{PROC}/*/cmdline r,
    owner @{PROC}/*/maps r,
    owner @{PROC}/*/mounts r,
    owner @{PROC}/*/net/** r,
    owner @{PROC}/*/stat r,
    @{PROC}/sys/kernel/pid_max r,
    @{PROC}/uptime r,
    @{PROC}/version r,

    /dev/tty r,

    /etc/ r,
    /etc/firefox-*/pref/ r,
    /etc/firefox-*/pref/* r,
    /etc/gre.d/ r,
    /etc/gre.d/* r,
    /etc/java-6-openjdk/** r,
    /etc/kde4/** r,
    /etc/lsb-release r,
    /etc/pulse/* r,
    /etc/ssl/certs/** r,
    /etc/xulrunner-*/* r,

    /etc/gnome/defaults.list r,
    /etc/kde4rc r,
    /etc/mailcap r,
    /etc/mime.types r,
    /etc/mtab r,
    /etc/sound/events/gtk-events-2.soundlist r,

    /sys/devices/system/cpu/** r,

    /usr/lib/browser-plugins/** rm,
    /usr/lib/firefox-*/**.so rm,
    /usr/lib/jvm/** rm,
    /usr/lib/kde4/**.so rm,

    /usr/local/share/applications/ r,
    /usr/local/share/applications/* r,
    /usr/local/share/mime/** r,

    /usr/share/alsa/** r,
    /usr/share/applications/ r,
    /usr/share/applications/** r,
    /usr/share/evince/** r,
    /usr/share/gvfs/remote-volume-monitors/ r,
    /usr/share/gvfs/remote-volume-monitors/* r,
    /usr/share/icons/**.theme rk,
    /usr/share/java/** r,
    /usr/share/kubuntu-default-settings/** r,
    /usr/share/libthai/** r,
    /usr/share/locale-langpack/** r,
    /usr/share/mime/** r,
    /usr/share/myspell/dicts/ r,
    /usr/share/myspell/dicts/** r,
    /usr/share/ubufox/** r,
##### END READ-ONLY PERMISSIONS #####

##### BEGIN WRITE-ONLY PERMISSIONS #####
    /var/run/cups/cups.sock w,
    /var/run/dbus/system_bus_socket w,
##### END WRITE-ONLY PERMISSIONS #####

##### BEGIN READ-WRITE PERMISSIONS #####
    owner @{HOME}/.config/** rwk,
    owner @{HOME}/.gnome2/accelsevince rw,
    owner @{HOME}/.gnome2/evince/** rw,
    owner @{HOME}/.icedteaplugin/** rw,
    owner @{HOME}/.java/** rwk,
    owner @{HOME}/.kde/** rwk,
    owner @{HOME}/.macromedia/** rw,
    owner @{HOME}/.mozilla/** rwk,
    owner @{HOME}/.recently-used.xbel* rwk,
    owner @{HOME}/Downloads/ rw,
    owner @{HOME}/Downloads/** rw,

    /dev/shm/ rw,
    /dev/shm/* rw,
    /dev/snd/* rw,
##### END READ-WRITE PERMISSIONS #####

##### BEGIN EXECUTE PERMISSIONS #####
    /bin/dash rmix,
    /bin/grep rix,
    /bin/ps rix,
    /bin/readlink rmix,
    /bin/sed rix,

    /usr/bin/basename rix,
    /usr/bin/dirname rix,
    /usr/bin/evince rix,
    /usr/bin/launchpad-integration rix,

    /usr/lib/firefox-*/firefox ix,
    /usr/lib/firefox-*/firefox.sh ix,
    /usr/lib/gamin/gam_server ix,
    /usr/lib/jvm/java-6-openjdk/jre/bin/** rix,
##### END EXECUTE PERMISSIONS #####
}