Confining Firefox
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 11 13:33:19 UTC 2008
On Fri, 2008-04-11 at 10:02 +0100, Anne Wilson wrote:
> On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote:
> > If you run your plugins in confined mode
> >
> > # setsebool -P allow_unconfined_nsplugin_transition=1
> > # yum install nspluginwrapper
> > # restorecon -R -v ~/
> >
> > None of the plugins will be allowed to read directories like .ssh or
> > .gpg in your home directory.
> >
> > firefox is really difficult to confine, but with nsplugin you can
> > confine the plugins fairly well.
>
> Could you please clarify for me - Does the restorecon need to be run every
> time anything is installed to the ~/?
Only if the default inheritance or type transition rule doesn't yield
the desired type for the file. That can happen if you e.g. move aside a
directory and re-create it and it needs its own distinct type from the
parent directory in order to differentiate it in policy.
You can also avoid the need to manually run restorecon by configuring
restorecond to watch for the specific directories and/or files in
question (via /etc/selinux/restorecond.conf), in which case the daemon
will automatically label those files upon creation.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list