On 02/13/2011 12:17 AM, Bruno Wolff III wrote: > On Sat, Feb 12, 2011 at 22:25:41 -0600, > Robert Nichols<rnicholsNOSPAM@xxxxxxxxxxx> wrote: >> >> All the plugins on my F-14 and F-12 machines have context >> system_u:object_r:lib_t with the exception of nppdf.so which >> is unconfined_u:object_r:lib_t. Nothing there that's going to >> cause a transition out of unconfined_t. > > This is the article that I probably remember this from. There is a plugin > wrapper that is used to have a transition. It also talks about some of the > issues with trying to confine a web browser. > http://danwalsh.livejournal.com/15700.html?thread=117076 > >> I keep hearing noise about how vital it is to have SELinux protecting >> against browser exploits, but I've yet to see any evidence that a >> standard (i.e., targeted policy) SELinux installation has anything >> beyond execmem protection for the browser process, or, for that matter, >> for a lot of other vulnerable targets such as the thunderbird mail >> reader or the evince and acroread document viewers. > > It's probably even more important for mail clients since they process > unsolicited data. No argument there, but there's no protection in a default installation. Plus, the boolean that controls the confinement for nspluginwrapper defaults to "off", so there's no protection there either. It's making more and more sense to say, "In a workstation installation, go ahead and run SELinux as long as it's not causing too many headaches, but if you are running into hard to solve problems with it, you aren't losing very much by just shutting it off." -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
