Would selinux have provided protection against this firefox exploit?
Lukas Vrabec
lvrabec at redhat.com
Mon Aug 10 09:34:14 UTC 2015
On 08/08/2015 02:43 AM, Ed Greshko wrote:
> On 08/08/15 08:30, William Brown wrote:
>> On Sat, 2015-08-08 at 08:26 +0800, Ed Greshko wrote:
>>> Not being a student of selinux I wonder if it would have protected users and
>>> the system against the recently discovered firefox exploit.
>>>
>>> https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild
>>> /
>>>
>> Normally firefox would run in your users context (unconfined_t), so no, this
>> would not have prevented it.
>>
>> Unless you run a confined user, or firefox in a sandbox, these may have limited
>> the scope of the damage.
Exactly, You need to run SELinux in more strictly mode as confined users.
> Thank you.
>
> Follow up. How about system files such as /etc/passwd ?
>
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list