On Sat, 2015-08-08 at 08:43 +0800, Ed Greshko wrote: > On 08/08/15 08:30, William Brown wrote: > > On Sat, 2015-08-08 at 08:26 +0800, Ed Greshko wrote: > > > Not being a student of selinux I wonder if it would have protected users > > > and > > > the system against the recently discovered firefox exploit. > > > > > > https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the- > > > wild > > > / > > > > > Normally firefox would run in your users context (unconfined_t), so no, this > > would not have prevented it. > > > > Unless you run a confined user, or firefox in a sandbox, these may have > > limited > > the scope of the damage. > > > > > Thank you. > > Follow up. How about system files such as /etc/passwd ? > /etc/passwd doesn't really matter, it's /etc/shadow you should worry about. But normally you can't even read shadow: ls -al /etc/{passwd,shadow} ls: cannot access /etc/shadow: Permission denied -rw-r--r--. 1 root root 3252 Jun 28 17:30 /etc/passwd As root you can see: -rw-r--r--. 1 root root 3252 Jun 28 17:30 /etc/passwd ----------. 1 root root 1645 Jun 28 17:30 /etc/shadow I'd be more worried about SSH keys in ~/.ssh that don't have a password (protip. They should have passwords), and other things like that. -- William Brown <william@xxxxxxxxxxxxxxxx> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
