[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: firefox problems with: browser_confine_unconfined --> on

From: "Christoph A." <casmls gmail com>
To: Daniel J Walsh <dwalsh redhat com>
Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: firefox problems with: browser_confine_unconfined --> on
Date: Tue, 13 May 2008 16:25:02 +0200

Daniel J Walsh wrote:

> Well I don't really believe in confining firefox in this way, because of
> the transitions available.
> 
> 
> You can confine nsplugin though
> 
> http://danwalsh.livejournal.com/15700.html
> 
> 
> The problem with confining firefox is somewhat covered in this article,
> but where it really breaks is in helper applications.

Yes, I'm a reader of your blog (thanks for posting this interessting
informations)

> unconfined_mozilla_t runs ooffice and office ends up in
> unconfined_mozilla_t but if thunderbird or you launch ooffice directly
> it runs unconfined_t and things get confused.

For me it would be fine to save a file (pdf, odt, ..) to disk
(~/Downloads) prior to open it with the apropriate program (pdf-reader,
openoffice, ...) in the unconfined_t domain and not starting these
programs directly within firefox.

I admit that normal enduser would not like this extra step just to get
more security.

regards,
Christoph A.

References:
- firefox problems with: browser_confine_unconfined --> on
  - From: Christoph A.
- Re: firefox problems with: browser_confine_unconfined --> on
  - From: Daniel J Walsh
- Re: firefox problems with: browser_confine_unconfined --> on
  - From: Christoph A.
- Re: firefox problems with: browser_confine_unconfined --> on
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]