[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Confining Firefox



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've just read Daniels livejournal entry about confining firefox.
One thing that hit me, when I dug a little depper into SELinux last
semester, was that firefox can actually read ~/.ssh
I don't know _any_ reason why it should.
And I assume this is one kind of access, that SELinux should prevent.
Away from talking about explicit deny rules, I would suggest, that in
fedora 9 you (the active SELinux developers) deny it using something
like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to
cut off those security relevant directories.
Otherwise the next *-plugin exploit could crack even hole enterprise
networks by reading admins ssh keys.

regards

christoph


ps: What is the current state of getting a real
"High-Level-Language(TM)" for SELinux configuration?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugCfSjkQ
3KHcUVRPd2g9sux9ZBWlofE=
=TTfw
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]