On Sat, 20 Sep 2008 16:27:43 EDT, Jason Edgecombe said: That's not addressing the *big* problem with things like Firefox. The original poster probably wants Firefox policy enforced so that if an exploit is found in Firefox, the damage is basically contained to the user's ~/.mozilla directory (where Firefox reads/writes it files), and the now-rogue Firefox process can't go snooping around in other sensitive files (like the ones in your .ssh or .gpg directories). I don't see where the root password even enters into it - does *anybody* run a browser as root?

yiruli(a)ccsl.carleton.ca wrote: In the Fedora the only transition domain that transitions to firefox policy is xguest. Every other user type including unconfined_t above runs firefox without transition. So if ps -eZ | grep firefox shows unconfined_t firefox, it means it has the privs of the unconfined_t domain. It can do everything the users shell can do. There is policy to confine mozilla, but usually this ends up breaking more things then users are willing to put up with. So we have decided to concentrate on confining the users (staff_t, user_t, xguest_t, guest_t) and the plugins. So firefox might run in staff_t but the plugin it execs will run in staff_nsplugin_t. Plugins have a very confined domain. The real problem with confining firefox is the number of applications that it launches (openoffice, evince, acroread, email...) And writing policy for the confinement of all of these, plus the interaction with users launching the same apps from the toolbar is just not manageable. So what does the mozilla policy do that is loaded on my machine, well it defined file context for directories like .mozilla. It also is used for the transition from xguest_t to xguest_mozilla_t.