Les Mikesell wrote:
Bruno Wolff III wrote:
Bruno is noting that the current methods of exploitation tend to be web
pages, flash, java, media files and a firewall isn't going to be of
much
help with this type of intrusion but selinux clearly could be a
layer of
use here.
Does it actually prevent browser plugins from doing things that the
running user can't do in the default configuration?
Yes.
I thought plugins ran as libraries within the same process. SELinux can
prevent them from loading which isn't particularly useful. How can it
control separately what a plugin can do without breaking the browser's
own ability to it?
I already gave you the link earlier. Nspluginwrapper is installed by
default which can run plugins in a separate memory address making it
possible to confine it by policy. If a flash plugin tries to access
files under .ssh for example, SELinux policy can prevent that as a
obvious violation.
Rahul
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list