Daniel J Walsh wrote: > Well I don't really believe in confining firefox in this way, because of > the transitions available. > > > You can confine nsplugin though > > http://danwalsh.livejournal.com/15700.html > > > The problem with confining firefox is somewhat covered in this article, > but where it really breaks is in helper applications. Yes, I'm a reader of your blog (thanks for posting this interessting informations) > unconfined_mozilla_t runs ooffice and office ends up in > unconfined_mozilla_t but if thunderbird or you launch ooffice directly > it runs unconfined_t and things get confused. For me it would be fine to save a file (pdf, odt, ..) to disk (~/Downloads) prior to open it with the apropriate program (pdf-reader, openoffice, ...) in the unconfined_t domain and not starting these programs directly within firefox. I admit that normal enduser would not like this extra step just to get more security. regards, Christoph A. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
