yiruli@xxxxxxxxxxxxxxxx wrote: > Hi, > Where can I find the source policy for Mozilla Firefox? > > From the SELinux administration tool, I see that Mozilla module has been > loaded? > > But I find the following through the command "ps -Z": > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34 > firefox > > Can I say that the policy for Firefox in my machine is not enforced yet? > > How can I make the policy be enforced? > > What is the status of the policy writing for Firefox? > In one web article, Dan said that the policy writing for Firefox has > little success due to its variant behaviour. > > I am a beginner of SELinux. > Thanks a lot. > Yiru > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list In the Fedora the only transition domain that transitions to firefox policy is xguest. Every other user type including unconfined_t above runs firefox without transition. So if ps -eZ | grep firefox shows unconfined_t firefox, it means it has the privs of the unconfined_t domain. It can do everything the users shell can do. There is policy to confine mozilla, but usually this ends up breaking more things then users are willing to put up with. So we have decided to concentrate on confining the users (staff_t, user_t, xguest_t, guest_t) and the plugins. So firefox might run in staff_t but the plugin it execs will run in staff_nsplugin_t. Plugins have a very confined domain. The real problem with confining firefox is the number of applications that it launches (openoffice, evince, acroread, email...) And writing policy for the confinement of all of these, plus the interaction with users launching the same apps from the toolbar is just not manageable. So what does the mozilla policy do that is loaded on my machine, well it defined file context for directories like .mozilla. It also is used for the transition from xguest_t to xguest_mozilla_t. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
