[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: package review?



Peter Harmsen wrote:
Is there any change a firefox policy will be included
as default?

I am thinking of adding a boolean for people who want to use firefox/thunderbird/evolution policy. So by default we would have disable trans. And force a relabel or use restorecond for labeling users homedirs. for .mozilla and .thunderbird
directories.

The problem with these policies is that these applications are Huge and are difficult to lock down in any meaning full way. For example: We could lock down Firefox to only be able to read pages. And perhaps only down load files to a particular directory.
Which directory?  What happens if the user changes the directory?
Now what happens when they down load a .doc or .ppt file? Do you want me to lauch OpenOffice? If yes what context should OpenOffice run under? Should I treat the data as Untrusted? How does the user change it to trusted? How about if they download an RPM package? What about additional plugins.
All these issues exist in Mailers also.

On 7/21/06, Wart <wart kobold org> wrote:
Daniel J Walsh wrote:
> allow crossfire_t port_t:udp_socket send_msg;
> allow crossfire_t port_t:tcp_socket name_bind;
> You need to define a port for this socket and only allow name_bind to
> that port

I know I'm missing something obvious here, but which macro can I use to
add this restriction?  I saw references to http_port_t and ntp_port_t in
corenetwork.if, but didn't see anything that actually defined it to be
port 80 (http) or port 123 (ntp).

--Mike

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]