Thank you, unknown genius!
Les Mikesell
lesmikesell at gmail.com
Sat Apr 12 23:09:41 UTC 2008
Rahul Sundaram wrote:
>
>>>>> Bruno is noting that the current methods of exploitation tend to be
>>>>> web
>>>>> pages, flash, java, media files and a firewall isn't going to be of
>>>>> much
>>>>> help with this type of intrusion but selinux clearly could be a
>>>>> layer of
>>>>> use here.
>>>> Does it actually prevent browser plugins from doing things that the
>>>> running user can't do in the default configuration?
>>>
>>> Yes.
>>
>> I thought plugins ran as libraries within the same process. SELinux
>> can prevent them from loading which isn't particularly useful. How can
>> it control separately what a plugin can do without breaking the
>> browser's own ability to it?
>
> I already gave you the link earlier. Nspluginwrapper is installed by
> default which can run plugins in a separate memory address making it
> possible to confine it by policy. If a flash plugin tries to access
> files under .ssh for example, SELinux policy can prevent that as a
> obvious violation.
That hasn't been released yet has it? Are there policies that actually
do something useful that are known not to break anything?
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list