On 02/12/2011 03:58 PM, Bruno Wolff III wrote:
> On Sat, Feb 12, 2011 at 15:39:03 -0600,
> Robert Nichols<rnicholsNOSPAM@xxxxxxxxxxx> wrote:
>> On 02/12/2011 11:15 AM, Bruno Wolff III wrote:
>>>
>>> Most of selinux enforcement is targeted at services and a few user tools
>>> that commonly process untrusted data (in particular firefox).
>>
>> Firefox, really?
>
> I think most of the work was with handling plugins for it.
All the plugins on my F-14 and F-12 machines have context
system_u:object_r:lib_t with the exception of nppdf.so which
is unconfined_u:object_r:lib_t. Nothing there that's going to
cause a transition out of unconfined_t.
I keep hearing noise about how vital it is to have SELinux protecting
against browser exploits, but I've yet to see any evidence that a
standard (i.e., targeted policy) SELinux installation has anything
beyond execmem protection for the browser process, or, for that matter,
for a lot of other vulnerable targets such as the thunderbird mail
reader or the evince and acroread document viewers.
FWIW, I am running with SELinux in enforcing mode. Why I bother
(and it _is_ a bother), I have no idea.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
