Thank you, unknown genius!
Rahul Sundaram
sundaram at fedoraproject.org
Sat Apr 12 22:47:36 UTC 2008
Les Mikesell wrote:
> Bruno Wolff III wrote:
>
>>>> Bruno is noting that the current methods of exploitation tend to be web
>>>> pages, flash, java, media files and a firewall isn't going to be of
>>>> much
>>>> help with this type of intrusion but selinux clearly could be a
>>>> layer of
>>>> use here.
>>> Does it actually prevent browser plugins from doing things that the
>>> running user can't do in the default configuration?
>>
>> Yes.
>
> I thought plugins ran as libraries within the same process. SELinux can
> prevent them from loading which isn't particularly useful. How can it
> control separately what a plugin can do without breaking the browser's
> own ability to it?
I already gave you the link earlier. Nspluginwrapper is installed by
default which can run plugins in a separate memory address making it
possible to confine it by policy. If a flash plugin tries to access
files under .ssh for example, SELinux policy can prevent that as a
obvious violation.
Rahul
More information about the fedora-list
mailing list