| Summary: | Re-confining of Firefox plugins | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.2 | CC: | djuran, dwalsh, mmalik, syeghiay | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-154.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 784309 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-20 12:28:05 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 750385, 784309, 826592, 832998 | |||
This needs to wait for 6.3 Fixed in selinux-policy-3.7.19-136.el6 Since FailedQA, should this be a 6.3 blocker? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |
Adobe started supporting 64bit flash couple of days (weeks) ago. Which means nspluginwrapper is not required for flash anymore anywhere. And given that since somewhere in 3.6.* line, firefox now supports out of the process plugins, it should be possible to confine flash process as such. However, when I run it (in RHEL 6.2 true) I get in pstree -Z this ├─firefox(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ ├─plugin-containe(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ │ ├─{plugin-contain}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ │ ├─{plugin-contain}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ │ ├─{plugin-contain}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ │ └─{plugin-contain}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ ├─{firefox}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') │ └─{firefox}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') i.e., flash plugin (process plugin-container) runs unconfined again. According to the discussion on IRC, there is apparently some support for this in Fedora. Could we backport this to RHEL 6 eventually?