Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   where can I find source policy for Mozilla Browser (Firefox) (http://www.linux-archive.org/fedora-selinux-support/163381-where-can-i-find-source-policy-mozilla-browser-firefox.html)

09-20-2008 07:14 PM

where can I find source policy for Mozilla Browser (Firefox)
 
Hi,
Where can I find the source policy for Mozilla Firefox?

From the SELinux administration tool, I see that Mozilla module has
been loaded?


But I find the following through the command "ps -Z":
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34 firefox

Can I say that the policy for Firefox in my machine is not enforced yet?

How can I make the policy be enforced?

What is the status of the policy writing for Firefox?
In one web article, Dan said that the policy writing for Firefox has
little success due to its variant behaviour.


I am a beginner of SELinux.
Thanks a lot.
Yiru

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Jason Edgecombe 09-20-2008 08:27 PM

where can I find source policy for Mozilla Browser (Firefox)
 
yiruli@ccsl.carleton.ca wrote:
> Hi,
> Where can I find the source policy for Mozilla Firefox?
>
> From the SELinux administration tool, I see that Mozilla module has
> been loaded?
>
> But I find the following through the command "ps -Z":
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34
> firefox
>
> Can I say that the policy for Firefox in my machine is not enforced yet?
>
> How can I make the policy be enforced?
>
> What is the status of the policy writing for Firefox?
> In one web article, Dan said that the policy writing for Firefox has
> little success due to its variant behaviour.
What about changing the root password, then giving the customer (and
other internal people) access vis sudo with an auditing shell like eash.
They still have a root shell, it's just audited now.

See http://www.rootprompt.org/article.php3?article=10015

If you don't have selinux, then you can also write library that logs the
system calls that you want and load it with LD_PRELOAD in a script that
is run via sudo.

Jason

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

09-21-2008 04:25 AM

where can I find source policy for Mozilla Browser (Firefox)
 
On Sat, 20 Sep 2008 16:27:43 EDT, Jason Edgecombe said:
> yiruli@ccsl.carleton.ca wrote:
> > Hi,
> > Where can I find the source policy for Mozilla Firefox?
> >
> > From the SELinux administration tool, I see that Mozilla module has
> > been loaded?
> >
> > But I find the following through the command "ps -Z":
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34
> > firefox
> >
> > Can I say that the policy for Firefox in my machine is not enforced yet?
> >
> > How can I make the policy be enforced?
> >
> > What is the status of the policy writing for Firefox?
> > In one web article, Dan said that the policy writing for Firefox has
> > little success due to its variant behaviour.
> What about changing the root password, then giving the customer (and
> other internal people) access vis sudo with an auditing shell like eash.
> They still have a root shell, it's just audited now.

That's not addressing the *big* problem with things like Firefox.

The original poster probably wants Firefox policy enforced so that if an
exploit is found in Firefox, the damage is basically contained to the user's
~/.mozilla directory (where Firefox reads/writes it files), and the now-rogue
Firefox process can't go snooping around in other sensitive files (like the
ones in your .ssh or .gpg directories).

I don't see where the root password even enters into it - does *anybody*
run a browser as root?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 09-22-2008 02:42 PM

where can I find source policy for Mozilla Browser (Firefox)
 
On Sat, 2008-09-20 at 15:14 -0400, yiruli@ccsl.carleton.ca wrote:
> Hi,
> Where can I find the source policy for Mozilla Firefox?
>
> From the SELinux administration tool, I see that Mozilla module has
> been loaded?
>
> But I find the following through the command "ps -Z":
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34 firefox
>
> Can I say that the policy for Firefox in my machine is not enforced yet?
>
> How can I make the policy be enforced?
>
> What is the status of the policy writing for Firefox?
> In one web article, Dan said that the policy writing for Firefox has
> little success due to its variant behaviour.

Try mapping your user identity to a confined user (e.g user_u or
staff_u) via semanage login or system-config-selinux, and see if that
yields firefox running in its own domain. Fedora policy likely only
defines transition from the confined user domains to the browser domain.

Or you could add a local policy module that defines a transition from
unconfined_t to mozilla_t.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 09-22-2008 03:28 PM

where can I find source policy for Mozilla Browser (Firefox)
 
yiruli@ccsl.carleton.ca wrote:
> Hi,
> Where can I find the source policy for Mozilla Firefox?
>
> From the SELinux administration tool, I see that Mozilla module has been
> loaded?
>
> But I find the following through the command "ps -Z":
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34
> firefox
>
> Can I say that the policy for Firefox in my machine is not enforced yet?
>
> How can I make the policy be enforced?
>
> What is the status of the policy writing for Firefox?
> In one web article, Dan said that the policy writing for Firefox has
> little success due to its variant behaviour.
>
> I am a beginner of SELinux.
> Thanks a lot.
> Yiru
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In the Fedora the only transition domain that transitions to firefox
policy is xguest. Every other user type including unconfined_t above
runs firefox without transition.


So if ps -eZ | grep firefox shows unconfined_t firefox, it means it has
the privs of the unconfined_t domain. It can do everything the users
shell can do.

There is policy to confine mozilla, but usually this ends up breaking
more things then users are willing to put up with. So we have decided
to concentrate on confining the users (staff_t, user_t, xguest_t,
guest_t) and the plugins. So firefox might run in staff_t but the
plugin it execs will run in staff_nsplugin_t. Plugins have a very
confined domain.

The real problem with confining firefox is the number of applications
that it launches (openoffice, evince, acroread, email...) And writing
policy for the confinement of all of these, plus the interaction with
users launching the same apps from the toolbar is just not manageable.

So what does the mozilla policy do that is loaded on my machine, well it
defined file context for directories like .mozilla. It also is used for
the transition from xguest_t to xguest_mozilla_t.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 08:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.