Confining Firefox
Christoph Höger
choeger at cs.tu-berlin.de
Wed Apr 9 22:57:17 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've just read Daniels livejournal entry about confining firefox.
One thing that hit me, when I dug a little depper into SELinux last
semester, was that firefox can actually read ~/.ssh
I don't know _any_ reason why it should.
And I assume this is one kind of access, that SELinux should prevent.
Away from talking about explicit deny rules, I would suggest, that in
fedora 9 you (the active SELinux developers) deny it using something
like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to
cut off those security relevant directories.
Otherwise the next *-plugin exploit could crack even hole enterprise
networks by reading admins ssh keys.
regards
christoph
ps: What is the current state of getting a real
"High-Level-Language(TM)" for SELinux configuration?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugCfSjkQ
3KHcUVRPd2g9sux9ZBWlofE=
=TTfw
-----END PGP SIGNATURE-----
More information about the selinux
mailing list