-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've just read Daniels livejournal entry about confining firefox. One thing that hit me, when I dug a little depper into SELinux last semester, was that firefox can actually read ~/.ssh I don't know _any_ reason why it should. And I assume this is one kind of access, that SELinux should prevent. Away from talking about explicit deny rules, I would suggest, that in fedora 9 you (the active SELinux developers) deny it using something like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to cut off those security relevant directories. Otherwise the next *-plugin exploit could crack even hole enterprise networks by reading admins ssh keys. regards christoph ps: What is the current state of getting a real "High-Level-Language(TM)" for SELinux configuration? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugCfSjkQ 3KHcUVRPd2g9sux9ZBWlofE= =TTfw -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
