Re: firefox problems with: browser_confine_unconfined --> on

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph A. wrote:
> Daniel J Walsh wrote:
> 
>>> type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
>>> auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>> msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.93
>>> spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
>>> tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> 
>> No this seems like something that should be allowed.
> 
> Thank you for your response.
> 
> So browser_confine_unconfined=1 is the right way to confine firefox (of
> unconfined_u) like firefox of guest_u?
> 
> thanks in advance
> Christoph A.
Well I don't really believe in confining firefox in this way, because of
the transitions available.


You can confine nsplugin though

http://danwalsh.livejournal.com/15700.html


The problem with confining firefox is somewhat covered in this article,
but where it really breaks is in helper applications.

unconfined_mozilla_t runs ooffice and office ends up in
unconfined_mozilla_t but if thunderbird or you launch ooffice directly
it runs unconfined_t and things get confused.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgpltkACgkQrlYvE4MpobPp+wCg6z3HbnsifKE6BJtj4p6qURzF
RMwAnR3yG22YbgnCLOMTaOs5WGkFUrPd
=9QLW
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux