-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John Griffiths wrote:
The name/ usage of browser_confine_xguest is a bit confusing and system-config-selinux does not give any enlightenment.
It may not even matter since I do not have xguest installed, but for academic purposes, does browser_confine_xguest confine the xguest to only browsing the localhost if it is on or off? Dan Walsh's journal seems to indicate that this should be on to allow browsing of the Internet by xguest which would seem to be the opposite of confine.
Well in this case confine is probably a bad name. Really this boolean defines whether or not xguest will transition to xguest_mozilla_t when running firefox. "Confinement" is in the eye of the beholder. xguest_mozilla_t can not do as much on the local system as xguest_t so it is more confined on the local system, but has more access to the network. So I guess the boolean should be called transition.
browser_transition_xguest probably would have been a better name, and boy do I wish we had a means of aliasing boolean names. Since we picked so many bad ones over the years.
This indicates whether the xguest account will transition to xguest_mozilla_t or not. If you turn this boolean on, xguest will be able to browse the web using firefox/mozilla. If you turn it off the account will only be allowed to run mozilla/firefox locally. You will not have any access to the net. -- http://danwalsh.livejournal.com/13376.html
Am I just reading this wrong?
Regards, John
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org