browser_confine_xguest
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 4 19:34:36 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Griffiths wrote:
> The name/ usage of browser_confine_xguest is a bit confusing and
> system-config-selinux does not give any enlightenment.
>
> It may not even matter since I do not have xguest installed, but for academic
> purposes, does browser_confine_xguest confine the xguest to only browsing the
> localhost if it is on or off? Dan Walsh's journal seems to indicate that this
> should be on to allow browsing of the Internet by xguest which would seem to be
> the opposite of confine.
Well in this case confine is probably a bad name. Really this boolean
defines whether or not xguest will transition to xguest_mozilla_t when
running firefox. "Confinement" is in the eye of the beholder.
xguest_mozilla_t can not do as much on the local system as xguest_t so
it is more confined on the local system, but has more access to the
network. So I guess the boolean should be called transition.
browser_transition_xguest probably would have been a better name, and
boy do I wish we had a means of aliasing boolean names. Since we picked
so many bad ones over the years.
>
> This indicates whether the xguest account will transition to
> xguest_mozilla_t or not. If you turn this boolean on, xguest will be able
> to browse the web using firefox/mozilla. If you turn it off the account
> will only be allowed to run mozilla/firefox locally. You will not have any
> access to the net. -- http://danwalsh.livejournal.com/13376.html
>
> Am I just reading this wrong?
>
> Regards,
> John
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4MMwACgkQrlYvE4MpobNUWgCeJvSZBFQz9ILu+6s1/7ai7Awg
J9YAoNWFTnKn2PpEsdYtzUIp3TQMJcr2
=cZVi
-----END PGP SIGNATURE-----
More information about the selinux
mailing list