FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2008, 10:57 PM
Christoph Höger
 
Default Confining Firefox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've just read Daniels livejournal entry about confining firefox.
One thing that hit me, when I dug a little depper into SELinux last
semester, was that firefox can actually read ~/.ssh
I don't know _any_ reason why it should.
And I assume this is one kind of access, that SELinux should prevent.
Away from talking about explicit deny rules, I would suggest, that in
fedora 9 you (the active SELinux developers) deny it using something
like a "unconfined_for_all_applications_but_firefox_and_f ellows_t" to
cut off those security relevant directories.
Otherwise the next *-plugin exploit could crack even hole enterprise
networks by reading admins ssh keys.

regards

christoph


ps: What is the current state of getting a real
"High-Level-Language(TM)" for SELinux configuration?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugC fSjkQ
3KHcUVRPd2g9sux9ZBWlofE=
=TTfw
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-10-2008, 07:52 PM
Daniel J Walsh
 
Default Confining Firefox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Höger wrote:
> Hi,
>
> I've just read Daniels livejournal entry about confining firefox.
> One thing that hit me, when I dug a little depper into SELinux last
> semester, was that firefox can actually read ~/.ssh
> I don't know _any_ reason why it should.
> And I assume this is one kind of access, that SELinux should prevent.
> Away from talking about explicit deny rules, I would suggest, that in
> fedora 9 you (the active SELinux developers) deny it using something
> like a "unconfined_for_all_applications_but_firefox_and_f ellows_t" to
> cut off those security relevant directories.
> Otherwise the next *-plugin exploit could crack even hole enterprise
> networks by reading admins ssh keys.
If you run your plugins in confined mode

# setsebool -P allow_unconfined_nsplugin_transition=1
# yum install nspluginwrapper
# restorecon -R -v ~/

None of the plugins will be allowed to read directories like .ssh or
.gpg in your home directory.

firefox is really difficult to confine, but with nsplugin you can
confine the plugins fairly well.


>
> regards
>
> christoph
>
>
> ps: What is the current state of getting a real
> "High-Level-Language(TM)" for SELinux configuration?

- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf+b/4ACgkQrlYvE4MpobPs9QCfUp5K8B2Hldig0Zfi9j2Fncug
aIcAoNoW0dIbzyY/+AdIuC2czZBP52E5
=mVBD
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-11-2008, 09:02 AM
Anne Wilson
 
Default Confining Firefox

On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote:
> If you run your plugins in confined mode
>
> # setsebool -P allow_unconfined_nsplugin_transition=1
> # yum install nspluginwrapper
> # restorecon -R -v ~/
>
> None of the plugins will be allowed to read directories like .ssh or
> .gpg in your home directory.
>
> firefox is really difficult to confine, but with nsplugin you can
> confine the plugins fairly well.

Could you please clarify for me - Does the restorecon need to be run every
time anything is installed to the ~/?

(How many places do I have to check to make everything use the GB keyboard
layout? In some places it does use it, in others it doesn't. It's driving
me mad!)

Anne

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-11-2008, 09:21 AM
Anne Wilson
 
Default Confining Firefox

On Friday 11 April 2008 10:02:54 am Anne Wilson wrote:
> (How many places do I have to check to make everything use the GB keyboard
> layout? *In some places it does use it, in others it doesn't. *It's driving
> me mad!)

Don't answer that. I'll start a new thread

Anne

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-11-2008, 01:33 PM
Stephen Smalley
 
Default Confining Firefox

On Fri, 2008-04-11 at 10:02 +0100, Anne Wilson wrote:
> On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote:
> > If you run your plugins in confined mode
> >
> > # setsebool -P allow_unconfined_nsplugin_transition=1
> > # yum install nspluginwrapper
> > # restorecon -R -v ~/
> >
> > None of the plugins will be allowed to read directories like .ssh or
> > .gpg in your home directory.
> >
> > firefox is really difficult to confine, but with nsplugin you can
> > confine the plugins fairly well.
>
> Could you please clarify for me - Does the restorecon need to be run every
> time anything is installed to the ~/?

Only if the default inheritance or type transition rule doesn't yield
the desired type for the file. That can happen if you e.g. move aside a
directory and re-create it and it needs its own distinct type from the
parent directory in order to differentiate it in policy.

You can also avoid the need to manually run restorecon by configuring
restorecond to watch for the specific directories and/or files in
question (via /etc/selinux/restorecond.conf), in which case the daemon
will automatically label those files upon creation.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org