Mozilla plugins packaging [Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?]
drago01
drago01 at gmail.com
Tue Apr 10 15:08:38 UTC 2012
On Tue, Apr 10, 2012 at 4:29 PM, Paul Wouters <pwouters at redhat.com> wrote:
> On Tue, 10 Apr 2012, drago01 wrote:
>
>>> Wouldn't it be better to package Mozilla plugins in Fedora so that they
>>> are
>>> trusted?
>>
>>
>> rpm packages do not magically fix security issues. A vulnerability in
>> a plugin can be exploited by an attacker regardless how the plugin got
>> installed. (rpm or not).
>
>
> That's not true. SElinux could be used to restrict what a certain plugin
> could do when packages as rpm versus the SElinux properties of files in
> a users home directory.
That's not true as well because plugins are libraries not binaries.
You can confine the binary (like we did with nspluginwrapper in the
past) regardless of where the plugin comes from.
More information about the devel
mailing list