On 07/30/2017 06:30 AM, Ed Greshko
wrote:
On 07/30/2017 03:56 PM, Paul Allen Newell wrote: okay Am I to gather the this "setsebool -P unconfined_mozilla_plugin_transition 0" suggestion pretty much is a global statement to say "*anything* that SELinux pings in anything dealing with Firefox" will be ignored once this setsebool rule is enacted?No. It only has to do with the mozzilla plugin.... [root@meimei ~]# semanage boolean -l | grep mozilla_plugin_tran unconfined_mozilla_plugin_transition (on , on) Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. Which basically would control what processes can be executed by the plugin. This helps clarify, thank you. Far better explanation than the conclusion I was thinking Not making value judgment with that statement, just trying to understand how big the scope of that SELinux rules is. For the record, I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention.I guess I'm a bit confused. In your second paragraph you said ""setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues." But now you've said " I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention." SELinux has given me the alert and I have not done the setsebool action. Given that I have not seen any problems, it doesn't make much sense to me to do the setsebool action. But, again, the selinux messages we're talking about here have no relationship to the video hardware or driver in use. You may not hit an issue so you may not need to make the change. In the case of going to puzzles.usatoday.com, running the flash plugin and then trying to print the plugin isn't being allowed access to information about printers.....it would seem. If you hit an issue that requires you change the boolean (and chances are you won't know it unless you disable dontaudit) and you are concerned about a security risk I would ask on the selinux mailing list. They have the expertise. I Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that"). Thanks
|
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx