Re: No need for AV tools on Linux, eh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/12/2011 03:58 PM, Bruno Wolff III wrote:
> On Sat, Feb 12, 2011 at 15:39:03 -0600,
>    Robert Nichols<rnicholsNOSPAM@xxxxxxxxxxx>  wrote:
>> On 02/12/2011 11:15 AM, Bruno Wolff III wrote:
>>>
>>> Most of selinux enforcement is targeted at services and a few user tools
>>> that commonly process untrusted data (in particular firefox).
>>
>> Firefox, really?
>
> I think most of the work was with handling plugins for it.

All the plugins on my F-14 and F-12 machines have context
system_u:object_r:lib_t with the exception of nppdf.so which
is unconfined_u:object_r:lib_t.  Nothing there that's going to
cause a transition out of unconfined_t.

I keep hearing noise about how vital it is to have SELinux protecting
against browser exploits, but I've yet to see any evidence that a
standard (i.e., targeted policy) SELinux installation has anything
beyond execmem protection for the browser process, or, for that matter,
for a lot of other vulnerable targets such as the thunderbird mail
reader or the evince and acroread document viewers.

FWIW, I am running with SELinux in enforcing mode.  Why I bother
(and it _is_ a bother), I have no idea.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux