Re: Why is mozplugger still installed by default on F11 it conflicts with SELInux since it causes oofice to run as nsplugin_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/17/2009 10:23 AM, Simo Sorce wrote:

On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:

There is certainly argument about the value of this package and it
breaks nsplugin/SELinux functionality.

A confined nsplugin is a nice feature for confining plugins downloaded
from the network.  But if you run openoffice and evince from within
nsplugin they get confined, causing the apps to not work properly.


Is there a way to make specific transition rules for known apps like
evince or openoffice?
Would it make sens to do so?

Simo.


Yes I can but the rules end up being something like

nsplugin_t -> openoffice_exec_t -> unconfined_t.
So if someone can figure out a way to get openoffice to do something evil from the command line, it becomes an fairly easy avenue of attack. 

Similarly for evince.


--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux