Les Mikesell wrote:
Bruno Wolff III wrote:Does it actually prevent browser plugins from doing things that the running user can't do in the default configuration?Bruno is noting that the current methods of exploitation tend to be webpages, flash, java, media files and a firewall isn't going to be of much help with this type of intrusion but selinux clearly could be a layer ofuse here.Yes.I thought plugins ran as libraries within the same process. SELinux can prevent them from loading which isn't particularly useful. How can it control separately what a plugin can do without breaking the browser's own ability to it?
I already gave you the link earlier. Nspluginwrapper is installed by default which can run plugins in a separate memory address making it possible to confine it by policy. If a flash plugin tries to access files under .ssh for example, SELinux policy can prevent that as a obvious violation.
Rahul
