Re: No need for AV tools on Linux, eh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/13/2011 12:17 AM, Bruno Wolff III wrote:
> On Sat, Feb 12, 2011 at 22:25:41 -0600,
>    Robert Nichols<rnicholsNOSPAM@xxxxxxxxxxx>  wrote:
>>
>> All the plugins on my F-14 and F-12 machines have context
>> system_u:object_r:lib_t with the exception of nppdf.so which
>> is unconfined_u:object_r:lib_t.  Nothing there that's going to
>> cause a transition out of unconfined_t.
>
> This is the article that I probably remember this from. There is a plugin
> wrapper that is used to have a transition. It also talks about some of the
> issues with trying to confine a web browser.
> http://danwalsh.livejournal.com/15700.html?thread=117076
>
>> I keep hearing noise about how vital it is to have SELinux protecting
>> against browser exploits, but I've yet to see any evidence that a
>> standard (i.e., targeted policy) SELinux installation has anything
>> beyond execmem protection for the browser process, or, for that matter,
>> for a lot of other vulnerable targets such as the thunderbird mail
>> reader or the evince and acroread document viewers.
>
> It's probably even more important for mail clients since they process
> unsolicited data.

No argument there, but there's no protection in a default installation.
Plus, the boolean that controls the confinement for nspluginwrapper
defaults to "off", so there's no protection there either.  It's making
more and more sense to say, "In a workstation installation, go ahead
and run SELinux as long as it's not causing too many headaches, but if
you are running into hard to solve problems with it, you aren't losing
very much by just shutting it off."

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux