[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Confining Firefox
- From: Christoph Höger <choeger cs tu-berlin de>
- To: "Fedora-Selinux-List (E-mail)" <fedora-selinux-list redhat com>
- Subject: Confining Firefox
- Date: Thu, 10 Apr 2008 00:57:17 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've just read Daniels livejournal entry about confining firefox.
One thing that hit me, when I dug a little depper into SELinux last
semester, was that firefox can actually read ~/.ssh
I don't know _any_ reason why it should.
And I assume this is one kind of access, that SELinux should prevent.
Away from talking about explicit deny rules, I would suggest, that in
fedora 9 you (the active SELinux developers) deny it using something
like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to
cut off those security relevant directories.
Otherwise the next *-plugin exploit could crack even hole enterprise
networks by reading admins ssh keys.
regards
christoph
ps: What is the current state of getting a real
"High-Level-Language(TM)" for SELinux configuration?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugCfSjkQ
3KHcUVRPd2g9sux9ZBWlofE=
=TTfw
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]