-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I've just read Daniels livejournal entry about confining firefox. One thing that hit me, when I dug a little depper into SELinux last semester, was that firefox can actually read ~/.ssh I don't know _any_ reason why it should. And I assume this is one kind of access, that SELinux should prevent. Away from talking about explicit deny rules, I would suggest, that in fedora 9 you (the active SELinux developers) deny it using something like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to cut off those security relevant directories. Otherwise the next *-plugin exploit could crack even hole enterprise networks by reading admins ssh keys.
regards
christoph
ps: What is the current state of getting a real "High-Level-Language(TM)" for SELinux configuration?