Re: firefox problems with: browser_confine_unconfined --> on

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph A. wrote:
> Hi,
> 
> I'm looking forward do confine users (firefox, thunderbird). I played
> with xguest_u and I liked the behavior of firefox (home not writeable
> except ~/Downloads, ~/.mozilla), but I need other programms
> (thunderbird, ssh) to connect to the internet too, so I wanted to try
> the usual unconfined_u with browser_confine_unconfined set.
> 
> I didn't find mutch about this boolean but I wanted to see, if with this
> boolean set, firefox of an unconfined user will behave like firefox of
> xguest_u.
> 
> After setting the boolean firefox runs in its own domain
> (unconfined_mozilla_t) that looks fine.
> 
> When I tried to save a picture to see if I can write to ~/ (not
> ~/Download) firefox hangs (immediately after klicking on "Save Image
> As...") and I had to use kill to terminate it.
> 
> observing the audit.log file with tail -f shows:
> 
> type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
> auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.93
> spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> 
> If I set browser_confine_unconfined to 0 this problem doesn't occur.
> 
> Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u,
> or is this boolean for something different?
> 
> thanks,
> Christoph A.
> PS: I'm using FC9.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No this seems like something that should be allowed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgpkM8ACgkQrlYvE4MpobOCiACgk4vyQHqGJvie0vjD4ShjKxxH
BbUAoK+az0eEtgbIHgda/kQ+U+uNEkxx
=w1OT
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux