-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I've just read Daniels livejournal entry about confining firefox. One thing that hit me, when I dug a little depper into SELinux last semester, was that firefox can actually read ~/.ssh I don't know _any_ reason why it should. And I assume this is one kind of access, that SELinux should prevent. Away from talking about explicit deny rules, I would suggest, that in fedora 9 you (the active SELinux developers) deny it using something like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to cut off those security relevant directories. Otherwise the next *-plugin exploit could crack even hole enterprise networks by reading admins ssh keys.
regards
christoph
ps: What is the current state of getting a real "High-Level-Language(TM)" for SELinux configuration?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christoph Höger wrote:
Hi,
I've just read Daniels livejournal entry about confining firefox. One thing that hit me, when I dug a little depper into SELinux last semester, was that firefox can actually read ~/.ssh I don't know _any_ reason why it should. And I assume this is one kind of access, that SELinux should prevent. Away from talking about explicit deny rules, I would suggest, that in fedora 9 you (the active SELinux developers) deny it using something like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to cut off those security relevant directories. Otherwise the next *-plugin exploit could crack even hole enterprise networks by reading admins ssh keys.
If you run your plugins in confined mode
# setsebool -P allow_unconfined_nsplugin_transition=1 # yum install nspluginwrapper # restorecon -R -v ~/
None of the plugins will be allowed to read directories like .ssh or .gpg in your home directory.
firefox is really difficult to confine, but with nsplugin you can confine the plugins fairly well.
regards
christoph
ps: What is the current state of getting a real "High-Level-Language(TM)" for SELinux configuration?
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote:
If you run your plugins in confined mode
# setsebool -P allow_unconfined_nsplugin_transition=1 # yum install nspluginwrapper # restorecon -R -v ~/
None of the plugins will be allowed to read directories like .ssh or .gpg in your home directory.
firefox is really difficult to confine, but with nsplugin you can confine the plugins fairly well.
Could you please clarify for me - Does the restorecon need to be run every time anything is installed to the ~/?
(How many places do I have to check to make everything use the GB keyboard layout? In some places it does use it, in others it doesn't. It's driving me mad!)
Anne
On Fri, 2008-04-11 at 10:02 +0100, Anne Wilson wrote:
On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote:
If you run your plugins in confined mode
# setsebool -P allow_unconfined_nsplugin_transition=1 # yum install nspluginwrapper # restorecon -R -v ~/
None of the plugins will be allowed to read directories like .ssh or .gpg in your home directory.
firefox is really difficult to confine, but with nsplugin you can confine the plugins fairly well.
Could you please clarify for me - Does the restorecon need to be run every time anything is installed to the ~/?
Only if the default inheritance or type transition rule doesn't yield the desired type for the file. That can happen if you e.g. move aside a directory and re-create it and it needs its own distinct type from the parent directory in order to differentiate it in policy.
You can also avoid the need to manually run restorecon by configuring restorecond to watch for the specific directories and/or files in question (via /etc/selinux/restorecond.conf), in which case the daemon will automatically label those files upon creation.
selinux@lists.fedoraproject.org