On Sat, 20 Sep 2008 16:27:43 EDT, Jason Edgecombe said:
yiruli(a)ccsl.carleton.ca wrote:
> Hi,
> Where can I find the source policy for Mozilla Firefox?
>
> From the SELinux administration tool, I see that Mozilla module has
> been loaded?
>
> But I find the following through the command "ps -Z":
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34
> firefox
>
> Can I say that the policy for Firefox in my machine is not enforced yet?
>
> How can I make the policy be enforced?
>
> What is the status of the policy writing for Firefox?
> In one web article, Dan said that the policy writing for Firefox has
> little success due to its variant behaviour.
What about changing the root password, then giving the customer (and
other internal people) access vis sudo with an auditing shell like eash.
They still have a root shell, it's just audited now.
That's not addressing the *big* problem with things like Firefox.
The original poster probably wants Firefox policy enforced so that if an
exploit is found in Firefox, the damage is basically contained to the user's
~/.mozilla directory (where Firefox reads/writes it files), and the now-rogue
Firefox process can't go snooping around in other sensitive files (like the
ones in your .ssh or .gpg directories).
I don't see where the root password even enters into it - does *anybody*
run a browser as root?