Daniel J Walsh wrote:
Well I don't really believe in confining firefox in this way, because of the transitions available.
You can confine nsplugin though
http://danwalsh.livejournal.com/15700.html
The problem with confining firefox is somewhat covered in this article, but where it really breaks is in helper applications.
Yes, I'm a reader of your blog (thanks for posting this interessting informations)
unconfined_mozilla_t runs ooffice and office ends up in unconfined_mozilla_t but if thunderbird or you launch ooffice directly it runs unconfined_t and things get confused.
For me it would be fine to save a file (pdf, odt, ..) to disk (~/Downloads) prior to open it with the apropriate program (pdf-reader, openoffice, ...) in the unconfined_t domain and not starting these programs directly within firefox.
I admit that normal enduser would not like this extra step just to get more security.
regards, Christoph A.