No need for AV tools on Linux, eh?
Robert Nichols
rnicholsNOSPAM at comcast.net
Sun Feb 13 07:43:50 UTC 2011
On 02/13/2011 12:17 AM, Bruno Wolff III wrote:
> On Sat, Feb 12, 2011 at 22:25:41 -0600,
> Robert Nichols<rnicholsNOSPAM at comcast.net> wrote:
>>
>> All the plugins on my F-14 and F-12 machines have context
>> system_u:object_r:lib_t with the exception of nppdf.so which
>> is unconfined_u:object_r:lib_t. Nothing there that's going to
>> cause a transition out of unconfined_t.
>
> This is the article that I probably remember this from. There is a plugin
> wrapper that is used to have a transition. It also talks about some of the
> issues with trying to confine a web browser.
> http://danwalsh.livejournal.com/15700.html?thread=117076
>
>> I keep hearing noise about how vital it is to have SELinux protecting
>> against browser exploits, but I've yet to see any evidence that a
>> standard (i.e., targeted policy) SELinux installation has anything
>> beyond execmem protection for the browser process, or, for that matter,
>> for a lot of other vulnerable targets such as the thunderbird mail
>> reader or the evince and acroread document viewers.
>
> It's probably even more important for mail clients since they process
> unsolicited data.
No argument there, but there's no protection in a default installation.
Plus, the boolean that controls the confinement for nspluginwrapper
defaults to "off", so there's no protection there either. It's making
more and more sense to say, "In a workstation installation, go ahead
and run SELinux as long as it's not causing too many headaches, but if
you are running into hard to solve problems with it, you aren't losing
very much by just shutting it off."
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the users
mailing list