Why is mozplugger still installed by default on F11 it conflicts with SELInux since it causes oofice to run as nsplugin_t
9:08 a.m.
There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.
A confined nsplugin is a nice feature for confining plugins downloaded
from the network. But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.
9:23 a.m.
On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.
A confined nsplugin is a nice feature for confining plugins downloaded
from the network. But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.
Is there a way to make specific transition rules for known apps like
evince or openoffice?
Would it make sens to do so?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
9:46 a.m.
On 04/17/2009 10:23 AM, Simo Sorce wrote:
On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
> There is certainly argument about the value of this package and it
> breaks nsplugin/SELinux functionality.
>
> A confined nsplugin is a nice feature for confining plugins downloaded
> from the network. But if you run openoffice and evince from within
> nsplugin they get confined, causing the apps to not work properly.
Is there a way to make specific transition rules for known apps like
evince or openoffice?
Would it make sens to do so?
Simo.
Yes I can but the rules end up being something like
nsplugin_t -> openoffice_exec_t -> unconfined_t.
So if someone can figure out a way to get openoffice to do something
evil from the command line, it becomes an fairly easy avenue of attack.
Similarly for evince.
9:56 a.m.
On Fri, 2009-04-17 at 10:46 -0400, Daniel J Walsh wrote:
On 04/17/2009 10:23 AM, Simo Sorce wrote:
> On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
>> There is certainly argument about the value of this package and it
>> breaks nsplugin/SELinux functionality.
>>
>> A confined nsplugin is a nice feature for confining plugins downloaded
>> from the network. But if you run openoffice and evince from within
>> nsplugin they get confined, causing the apps to not work properly.
>
> Is there a way to make specific transition rules for known apps like
> evince or openoffice?
> Would it make sens to do so?
>
> Simo.
>
Yes I can but the rules end up being something like
nsplugin_t -> openoffice_exec_t -> unconfined_t.
So if someone can figure out a way to get openoffice to do something
evil from the command line, it becomes an fairly easy avenue of attack.
Similarly for evince.
Should we write a wrapper then that checks the command line and restrict
what can be done with it ?
Maybe also lobby applications developers to add a --insecure parameter
to their apps that we can pass down so that they can take extra
precautions when possible (maybe disable macros by default when a file
is labeled as "downloaded", or disable any write operation except "save
a copy" and stuff like that) ?
Or maybe ask application writers to support reading the SELinux label of
the files they are opening and mark files downloaded from firefox as
"download_t" or something similar so that they know it is a potential
threat.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
9:35 a.m.
Daniel J Walsh (dwalsh(a)redhat.com) said:
There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.
A confined nsplugin is a nice feature for confining plugins downloaded
from the network. But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.
Looks like it's required by the java plugin (as well as some others,
but the java one is the one most likely to be installed by default.)
Bill
10:09 a.m.
On 04/17/2009 10:08 AM, Daniel J Walsh wrote:
There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.
A confined nsplugin is a nice feature for confining plugins downloaded
from the network. But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.
Removing mozplugger has been something I always do. It seems to cause
more problems than it solves. =(
Warren
2:43 a.m.
On Fri, 17 Apr 2009, Warren Togami wrote:
On 04/17/2009 10:08 AM, Daniel J Walsh wrote:
> There is certainly argument about the value of this package and it
> breaks nsplugin/SELinux functionality.
>
> A confined nsplugin is a nice feature for confining plugins downloaded
> from the network. But if you run openoffice and evince from within
> nsplugin they get confined, causing the apps to not work properly.
>
Removing mozplugger has been something I always do. It seems to cause more
problems than it solves. =(
Here are instructions on both removing mozplugger and restoring the
security protections of SELinux. Simply removing the package isn't
enough:
http://james-morris.livejournal.com/39013.html
An issue we need to consider is how a package which breaks a security
feature not only made it into the repo, but how it became enabled by
default.
- James
--
James Morris
<jmorris(a)namei.org>
3:17 a.m.
On Sat, Apr 18, 2009 at 17:43:03 +1000,
James Morris <jmorris(a)namei.org> wrote:
Here are instructions on both removing mozplugger and restoring the
security protections of SELinux. Simply removing the package isn't
enough:
http://james-morris.livejournal.com/39013.html
An issue we need to consider is how a package which breaks a security
feature not only made it into the repo, but how it became enabled by
default.
There is some other brain damaged stuff going on with firefox and plugins.
See: https://bugzilla.redhat.com/show_bug.cgi?id=491543
5496
days inactive
5497
days old
7 comments
6 participants
participants (6)
-
Bill Nottingham -
Bruno Wolff III -
Daniel J Walsh -
James Morris -
Simo Sorce -
Warren Togami