Bug 155796
Summary: | Mozilla vs Esd - proper labeling for /tmp/.esd | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-07-13 11:36:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-04-23 12:45:14 UTC
These are the types of places where I think Mozilla policy is broken. I think if you want to use mozilla/firefox in this way you disable the trans. Otherwise we are constantly finding things broken in Mozilla until we fix it up to be able to do everything user_t can do. IE Useless. We should select a security profile for web browsing and if the customer can not handle it, disable the transition. Well, the .esd folder is not labeled properly (on my system) regardless of mozilla. If I type "esd" I get denials, because staff_t can't access sysadm_tmp_t. ===================== Regarding mozilla - I'm not sure this is true. The way I imagine things is - we restrict interaction of mozilla to things that are not in user_t. Upon execution of plugin code, tranisition to an alternate domain to deal with each plugin. For example, the mplayer plugin. Also, I think those domains should be separate from the ROLE_app_t domains - the mplayer plugin domain should be more confined than the default mplayer policy (which is not true now). I think once ROLE_tmp_t and ROLE_home_t access is denied to mozilla, the policy will be much more secure. However first I must figure out how ORBit works, and there's no time to do that now - exams ... I think the amount of stuff labeled in /tmp is un fixable and I am closing this bugzilla. I am going a different route in confining mozilla. |