Why is mozplugger still installed by default on F11 it conflicts with SELInux since it causes oofice to run as nsplugin_t

[Simo Sorce]

On Fri, 2009-04-17 at 10:46 -0400, Daniel J Walsh wrote:
> On 04/17/2009 10:23 AM, Simo Sorce wrote:
> > On Fri, 2009-04-17 at 10:08 -0400, Daniel J Walsh wrote:
> >> There is certainly argument about the value of this package and it
> >> breaks nsplugin/SELinux functionality.
> >>
> >> A confined nsplugin is a nice feature for confining plugins downloaded
> >> from the network.  But if you run openoffice and evince from within
> >> nsplugin they get confined, causing the apps to not work properly.
> >
> > Is there a way to make specific transition rules for known apps like
> > evince or openoffice?
> > Would it make sens to do so?
> >
> > Simo.
> >
> Yes I can but the rules end up being something like
> 
> nsplugin_t -> openoffice_exec_t -> unconfined_t.
> 
> So if someone can figure out a way to get openoffice to do something 
> evil from the command line, it becomes an fairly easy avenue of attack.
> 
> Similarly for evince.

Should we write a wrapper then that checks the command line and restrict
what can be done with it ?
Maybe also lobby applications developers to add a --insecure parameter
to their apps that we can pass down so that they can take extra
precautions when possible (maybe disable macros by default when a file
is labeled as "downloaded", or disable any write operation except "save
a copy" and stuff like that) ?

Or maybe ask application writers to support reading the SELinux label of
the files they are opening and mark files downloaded from firefox as
"download_t" or something similar so that they know it is a potential
threat.


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York