Bug 589579

Summary: firefox runs in an unconfined domain
Product: [Fedora] Fedora Reporter: Need Real Name <lsof>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, lsof, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-19 11:32:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2010-05-06 13:23:45 UTC 
Description of problem:
Firefox is probably the primary method by which to gain control of a user's system, either via firefox, flash or nsplugin.

It seems sensible that firefox should not run in an unconfined domain.
Comment 1 Daniel Walsh 2010-05-06 14:01:26 UTC 
May seem sensible to you, but can you define what security goals the general population wants firefox to run under?  I think you will quickly realize it becomes unconfined_t or at least user_t.

If you want to look into running firefox in a confined environment you can try 

sandbox -X -t sandbox_web_t -W metacity firefox

Or 

turn on allow_unconfined_nsplugin_transition boolean and it will confine you nsplugin plugins.
Comment 2 Need Real Name 2010-05-06 15:49:33 UTC 
(In reply to comment #1)
> May seem sensible to you, but can you define what security goals the general
> population wants firefox to run under?

Well I think this sends a confusing message. Fedora is pushing selinux, and the SELinux FAQ says:

---
DAC is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own.

[..]

A MAC system does not suffer from these problems.
---

But Mark Cox's blog says that Firefox is the most vulnerable app.

So on one hand selinux is being promoted as safe computing, and on the other hand firefox is running unconfined. Mixed messages! =)

Are the library hacks for firefox and its plugins still used?
Comment 3 Daniel Walsh 2010-05-06 19:23:33 UTC 
I tend to agree, but if the latest HOUSE on hulu.com does not work because of SELinux, then SELinux gets disabled.  This is why we call it "targeted" policy.  We have slowly moving toward the point where we can control parts of firefox/chromium but we are not there yet.