browser_confine_xguest

Daniel J Walsh dwalsh at redhat.com
Thu Dec 4 19:34:36 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:
> The name/ usage of browser_confine_xguest is a bit confusing and 
> system-config-selinux does not give any enlightenment.
> 
> It may not even matter since I do not have xguest installed, but for academic 
> purposes, does browser_confine_xguest confine the xguest to only browsing the 
> localhost if it is on or off? Dan Walsh's journal seems to indicate that this 
> should be on to allow browsing of the Internet by xguest which would seem to be 
> the opposite of confine.
Well in this case confine is probably a bad name.  Really this boolean
defines whether or not xguest will transition to xguest_mozilla_t when
running firefox.  "Confinement" is in the eye of the beholder.
xguest_mozilla_t can not do as much on the local system as xguest_t so
it is more confined on the local system, but has more access to the
network.  So I guess the boolean should be called transition.

browser_transition_xguest probably would have been a better name, and
boy do I wish we had a means of aliasing boolean names.  Since we picked
so many bad ones over the years.
> 
>     This indicates whether the xguest account will transition to
>     xguest_mozilla_t or not.  If you turn this boolean on, xguest will be able
>     to browse the web using firefox/mozilla.  If you turn it off the account
>     will only be allowed to run mozilla/firefox locally.  You will not have any
>     access to the net. -- http://danwalsh.livejournal.com/13376.html
> 
> Am I just reading this wrong?
> 
> Regards,
> John
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk4MMwACgkQrlYvE4MpobNUWgCeJvSZBFQz9ILu+6s1/7ai7Awg
J9YAoNWFTnKn2PpEsdYtzUIp3TQMJcr2
=cZVi
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list