Re: Why is mozplugger still installed by default on F11 it conflicts with SELInux since it causes oofice to run as nsplugin_t

On 04/17/2009 10:23 AM, Simo Sorce wrote:
On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.

A confined nsplugin is a nice feature for confining plugins downloaded
from the network.  But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.

Is there a way to make specific transition rules for known apps like
evince or openoffice?
Would it make sens to do so?


Yes I can but the rules end up being something like

nsplugin_t -> openoffice_exec_t -> unconfined_t.

So if someone can figure out a way to get openoffice to do something evil from the command line, it becomes an fairly easy avenue of attack.

Similarly for evince.

