Please disable the SELinux execstack/relro checks before FC5 final

Daniel J Walsh dwalsh at redhat.com
Mon Feb 20 20:52:02 UTC 2006 

Ivan Gyurdiev wrote:
>
>> If we cannot move the moz/ffox/tbird into their own domain then, yes,
>> disable the checks for unconfined processes.  But we should keep the
>> tests for all programs which have their own domain.
>>   
> Moz/ffox/tbird cannot be moved into their own domain until we have the 
> capability to launch content handling applications from within 
> firefox, and have them enter the proper domain. This is particularly 
> difficult, because some of those applications (i.e. openoffice) don't 
> have a domain at the moment (and creating one would be difficult). 
> That means firefox must be allowed to transition into 
> user_t/unconfined_t, which defeats any attempt at security. Launching 
> one application within another is the primary reason why the desktop 
> can't be confined.
That is not entirely true.  java, wine and mono all run in their own 
domain in targeted which is unconfined.  I could do similar for
thunderbird, firefox and freinds.  We are not trying to confine these 
apps, but trying to confine the exec* apps to as few as possible.

>
> In the old strict policy firefox and mozilla were confined, and I 
> worked on the evolution and thunderbird policies over the summer. I 
> think the basic functionality was working, but those programs could 
> not be allowed to launch other apps. We need a trusted program to be 
> responsible for that, so that firefox can't transition into the 
> generic domain.
>
> There's other problems as well, including limiting those programs' 
> ability to write to the user home directory, and the top level /tmp 
> directory (what good does confining an application do, if it can still 
> overwrite all your important files, or steal your credit card info?). 
> There's marking of content as potentially hostile, and management of 
> that content.
>
> There's an effort to limit bonobo connections from firefox to 
> restricted domains only (no user_t/unconfined_t connections).... also 
> challenging, because there's so many things firefox talks to, and one 
> of them is sufficient to necessitate allowing communications channel 
> to user_t/unconfined_t.
>
> =============
>
> Currently the firefox/moz/tbird/evolution policies have not been 
> ported yet to the new refpolicy.  They also require  the policies for 
> bonobo, orbit, gnome and other dekstop-related things (also not yet 
> ported). Even when they are ported, I doubt they would meet the needs 
> of targeted-policy users.

More information about the fedora-devel-list mailing list