On Fri, 2009-04-17 at 10:46 -0400, Daniel J Walsh wrote:
On 04/17/2009 10:23 AM, Simo Sorce wrote:
> On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
>> There is certainly argument about the value of this package and it
>> breaks nsplugin/SELinux functionality.
>>
>> A confined nsplugin is a nice feature for confining plugins downloaded
>> from the network. But if you run openoffice and evince from within
>> nsplugin they get confined, causing the apps to not work properly.
>
> Is there a way to make specific transition rules for known apps like
> evince or openoffice?
> Would it make sens to do so?
>
> Simo.
>
Yes I can but the rules end up being something like
nsplugin_t -> openoffice_exec_t -> unconfined_t.
So if someone can figure out a way to get openoffice to do something
evil from the command line, it becomes an fairly easy avenue of attack.
Similarly for evince.
Should we write a wrapper then that checks the command line and restrict
what can be done with it ?
Maybe also lobby applications developers to add a --insecure parameter
to their apps that we can pass down so that they can take extra
precautions when possible (maybe disable macros by default when a file
is labeled as "downloaded", or disable any write operation except "save
a copy" and stuff like that) ?
Or maybe ask application writers to support reading the SELinux label of
the files they are opening and mark files downloaded from firefox as
"download_t" or something similar so that they know it is a potential
threat.
Simo.
--
Simo Sorce * Red Hat, Inc * New York