Rahul Sundaram wrote:
Bruno is noting that the current methods of exploitation tend to be
web
pages, flash, java, media files and a firewall isn't going to be of
much
help with this type of intrusion but selinux clearly could be a
layer of
use here.
Does it actually prevent browser plugins from doing things that the
running user can't do in the default configuration?
Yes.
I thought plugins ran as libraries within the same process. SELinux
can prevent them from loading which isn't particularly useful. How can
it control separately what a plugin can do without breaking the
browser's own ability to it?
I already gave you the link earlier. Nspluginwrapper is installed by
default which can run plugins in a separate memory address making it
possible to confine it by policy. If a flash plugin tries to access
files under .ssh for example, SELinux policy can prevent that as a
obvious violation.
That hasn't been released yet has it? Are there policies that actually
do something useful that are known not to break anything?
--
Les Mikesell
lesmikesell@xxxxxxxxx