where can I find source policy for Mozilla Browser (Firefox)
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 22 15:28:36 UTC 2008
yiruli at ccsl.carleton.ca wrote:
> Hi,
> Where can I find the source policy for Mozilla Firefox?
>
> From the SELinux administration tool, I see that Mozilla module has been
> loaded?
>
> But I find the following through the command "ps -Z":
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34
> firefox
>
> Can I say that the policy for Firefox in my machine is not enforced yet?
>
> How can I make the policy be enforced?
>
> What is the status of the policy writing for Firefox?
> In one web article, Dan said that the policy writing for Firefox has
> little success due to its variant behaviour.
>
> I am a beginner of SELinux.
> Thanks a lot.
> Yiru
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In the Fedora the only transition domain that transitions to firefox
policy is xguest. Every other user type including unconfined_t above
runs firefox without transition.
So if ps -eZ | grep firefox shows unconfined_t firefox, it means it has
the privs of the unconfined_t domain. It can do everything the users
shell can do.
There is policy to confine mozilla, but usually this ends up breaking
more things then users are willing to put up with. So we have decided
to concentrate on confining the users (staff_t, user_t, xguest_t,
guest_t) and the plugins. So firefox might run in staff_t but the
plugin it execs will run in staff_nsplugin_t. Plugins have a very
confined domain.
The real problem with confining firefox is the number of applications
that it launches (openoffice, evince, acroread, email...) And writing
policy for the confinement of all of these, plus the interaction with
users launching the same apps from the toolbar is just not manageable.
So what does the mozilla policy do that is loaded on my machine, well it
defined file context for directories like .mozilla. It also is used for
the transition from xguest_t to xguest_mozilla_t.
More information about the fedora-selinux-list
mailing list