Les Mikesell wrote:
Antonio Olivares wrote:
Les,
nspluginwrapper is there, and selinux is there as
well, what part of the code do you suggest is not
there.
I didn't think plugins were currently loaded by nspluginwrapper, and end
users aren't likely be able to set that up or develop suitable policies
by themselves.
> Selinux is there to protect you from malicious
websites that try to execute random code unto your
machine.
The question is, how does it know malicious code from what you want the
browser to do?
I don't think it does know malicious code. Heuristic analysis often ends
in false positives. Its based on permission,AFAIK, does it have
permission to read or modify a particular file or directory. The bottom
line is Firefox is difficult to confine. Browsers, after the users, are
probably the weakest link in the security chain. One thing we as users
should do is refuse to use unsafe code.I missed an episode of Battlestar
Galactica so I hoped over to the website to watch it there, soon as I
get to scifi.com I get this(edited for length) :
Summary:
SELinux is preventing npviewer.bin from changing a writable memory segment
executable.
Detailed Description:
The npviewer.bin application attempted to change the access protection
of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains
how to
remove this requirement. If npviewer.bin does not work and you need it
to work,
you can configure SELinux temporarily to allow this access until the
application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Nice to know SELinux is doing its job. I won't allow the access, even
though i know how to go about it. Why?
Cause its not safe and I'll catch the rebroadcast tonight anyway.
Allowing the access , in my opinion just encourages this sort of coding.
If people stop using a program until it can be proven to be
safe(relatively) then the people who write them will either fix it or
better yet start from scratch and write something the right way the
first time, not that I think it was written with a security flaw on
purpose but there it is.
Max
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list