writing a firefox policy
Peter Pun
peter.pun at gmail.com
Thu Jul 20 06:11:50 UTC 2006
Hi
I want to write a policy for firefox, as to me, it is almost an
always-on always-running network daemon.
I think there will always be another vulnerability leading to remote
code execution. But how can a policy protect against that?
Using policygentool, I created a policy for firefox-bin. It created a
domain. And I labeled the starter script /usr/bin/firefox as
"initrc_exec_t" . The ".mozilla" dir became the log dir. I also
created a dir labeled "download_t" so I can save files there. I think
I should take away "read" for "user_home_t" too.
So I guess the new domain will prevent transition into bin_t, sbin_t
and others. But I notice the generated te allows exec of all "lib_t"
libraries. That is an awful lot of libraries with lots of functions
and probably a lot of bugs. Should I be worried? If I follow the
doctrine of whitelisting everything and least privilege, I ought to
label and specifically permit only the libraries that are needed,
right? I am starting on identifying and labelling, but I have a
feeling that it will become a maintenance nightmare.
Maybe I don't fully understand "remote code execution". To me, it just
means being able to conjure up a shell and running some hacker magic
to gain root. Maybe the exploit doesn't even require a shell, and can
wiggle its way through the vast lib_t for its own end. :(
Apart from minimal library usage, what other correct behaviours should
I restrict firefox to?
Peter
More information about the fedora-selinux-list
mailing list