On Fri, 2009-04-17 at 10:46 -0400, Daniel J Walsh wrote: > On 04/17/2009 10:23 AM, Simo Sorce wrote: > > On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote: > >> There is certainly argument about the value of this package and it > >> breaks nsplugin/SELinux functionality. > >> > >> A confined nsplugin is a nice feature for confining plugins downloaded > >> from the network. But if you run openoffice and evince from within > >> nsplugin they get confined, causing the apps to not work properly. > > > > Is there a way to make specific transition rules for known apps like > > evince or openoffice? > > Would it make sens to do so? > > > > Simo. > > > Yes I can but the rules end up being something like > > nsplugin_t -> openoffice_exec_t -> unconfined_t. > > So if someone can figure out a way to get openoffice to do something > evil from the command line, it becomes an fairly easy avenue of attack. > > Similarly for evince. Should we write a wrapper then that checks the command line and restrict what can be done with it ? Maybe also lobby applications developers to add a --insecure parameter to their apps that we can pass down so that they can take extra precautions when possible (maybe disable macros by default when a file is labeled as "downloaded", or disable any write operation except "save a copy" and stuff like that) ? Or maybe ask application writers to support reading the SELinux label of the files they are opening and mark files downloaded from firefox as "download_t" or something similar so that they know it is a potential threat. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
