[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Confining Firefox



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Höger wrote:
> Hi,
> 
> I've just read Daniels livejournal entry about confining firefox.
> One thing that hit me, when I dug a little depper into SELinux last
> semester, was that firefox can actually read ~/.ssh
> I don't know _any_ reason why it should.
> And I assume this is one kind of access, that SELinux should prevent.
> Away from talking about explicit deny rules, I would suggest, that in
> fedora 9 you (the active SELinux developers) deny it using something
> like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to
> cut off those security relevant directories.
> Otherwise the next *-plugin exploit could crack even hole enterprise
> networks by reading admins ssh keys.
If you run your plugins in confined mode

# setsebool -P allow_unconfined_nsplugin_transition=1
# yum install nspluginwrapper
# restorecon -R -v ~/

None of the plugins will be allowed to read directories like .ssh or
.gpg in your home directory.

firefox is really difficult to confine, but with nsplugin you can
confine the plugins fairly well.


> 
> regards
> 
> christoph
> 
> 
> ps: What is the current state of getting a real
> "High-Level-Language(TM)" for SELinux configuration?

- --
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf+b/4ACgkQrlYvE4MpobPs9QCfUp5K8B2Hldig0Zfi9j2Fncug
aIcAoNoW0dIbzyY/+AdIuC2czZBP52E5
=mVBD
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]