package review?
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 21 15:10:21 UTC 2006
Peter Harmsen wrote:
> Is there any change a firefox policy will be included
> as default?
>
I am thinking of adding a boolean for people who want to use
firefox/thunderbird/evolution policy. So by
default we would have disable trans. And force a relabel or use
restorecond for labeling users homedirs. for .mozilla and .thunderbird
directories.
The problem with these policies is that these applications are Huge and
are difficult to lock down in any meaning full way.
For example:
We could lock down Firefox to only be able to read pages. And perhaps
only down load files to a particular directory.
Which directory? What happens if the user changes the directory?
Now what happens when they down load a .doc or .ppt file? Do you want
me to lauch OpenOffice? If yes what context
should OpenOffice run under? Should I treat the data as Untrusted? How
does the user change it to trusted?
How about if they download an RPM package? What about additional plugins.
All these issues exist in Mailers also.
> On 7/21/06, Wart <wart at kobold.org> wrote:
>> Daniel J Walsh wrote:
>> > allow crossfire_t port_t:udp_socket send_msg;
>> > allow crossfire_t port_t:tcp_socket name_bind;
>> > You need to define a port for this socket and only allow name_bind to
>> > that port
>>
>> I know I'm missing something obvious here, but which macro can I use to
>> add this restriction? I saw references to http_port_t and ntp_port_t in
>> corenetwork.if, but didn't see anything that actually defined it to be
>> port 80 (http) or port 123 (ntp).
>>
>> --Mike
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
More information about the fedora-selinux-list
mailing list