Thank you, unknown genius!

max maximilianbianco at gmail.com
Sun Apr 13 16:52:00 UTC 2008 

Les Mikesell wrote:
> Antonio Olivares wrote:
>>
>> Les,
>>
>> nspluginwrapper is there, and selinux is there as
>> well, what part of the code do you suggest is not
>> there.
> 
> I didn't think plugins were currently loaded by nspluginwrapper, and end 
> users aren't likely be able to set that up or develop suitable policies 
> by themselves.
> 
>  > Selinux is there to protect you from malicious
>> websites that try to execute random code unto your
>> machine.
> 
> The question is, how does it know malicious code from what you want the 
> browser to do?
> 

I don't think it does know malicious code. Heuristic analysis often ends 
in false positives. Its based on permission,AFAIK, does it have 
permission to read or modify a particular file or directory.  The bottom 
line is Firefox is difficult to confine. Browsers, after the users, are 
probably the weakest link in the security chain. One thing we as users 
should do is refuse to use unsafe code.I missed an episode of Battlestar 
Galactica so I hoped over to the website to watch it there, soon as I 
get to scifi.com I get this(edited for length) :


  Summary:

  SELinux is preventing npviewer.bin from changing a writable memory segment
  executable.

  Detailed Description:

  The npviewer.bin application attempted to change the access protection 
of memory
  (e.g., allocated using malloc). This is a potential security problem.
  Applications should not be doing this. Applications are sometimes coded
  incorrectly and request this permission. The SELinux Memory Protection 
Tests
  (http://people.redhat.com/drepper/selinux-mem.html) web page explains 
how to
  remove this requirement. If npviewer.bin does not work and you need it 
to work,
  you can configure SELinux temporarily to allow this access until the 
application
  is fixed. Please file a bug report
  (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Nice to know SELinux is doing its job. I won't allow the access, even 
though i know how to go about it. Why?
Cause its not safe and I'll catch the rebroadcast tonight anyway. 
Allowing the access , in my opinion just encourages this sort of coding. 
If people stop using a program until it can be proven to be 
safe(relatively) then the people who write them will either fix it or 
better yet start from scratch and write something the right way the 
first time, not that I think it was written with a security flaw on 
purpose but there it is.

Max

More information about the fedora-list mailing list