Why is mozplugger still installed by default on F11 it conflicts with SELInux since it causes oofice to run as nsplugin_t

Daniel J Walsh dwalsh at redhat.com
Fri Apr 17 14:46:40 UTC 2009


On 04/17/2009 10:23 AM, Simo Sorce wrote:
> On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
>> There is certainly argument about the value of this package and it
>> breaks nsplugin/SELinux functionality.
>>
>> A confined nsplugin is a nice feature for confining plugins downloaded
>> from the network.  But if you run openoffice and evince from within
>> nsplugin they get confined, causing the apps to not work properly.
>
> Is there a way to make specific transition rules for known apps like
> evince or openoffice?
> Would it make sens to do so?
>
> Simo.
>
Yes I can but the rules end up being something like

nsplugin_t -> openoffice_exec_t -> unconfined_t.

So if someone can figure out a way to get openoffice to do something 
evil from the command line, it becomes an fairly easy avenue of attack.

Similarly for evince.





More information about the fedora-devel-list mailing list