• 1
Yes you can look at documents from the Web via Open Office or evince for example, but these tools will be running under the xguest_firefox_t domain. So they will follow the same rules. Now the user could save the document to /tmp or ~/.mozilla or ~/Download directory, and then run open office or evince to look at the files separately.

I did not mention that there are two booleans to control the use of firefox also.

browser_confine_xguest --> on
browser_write_xguest_data --> off

The first one allows the xguest domain to transition to xguest_firefox_t, If you turn this off the transition will not happen and firefox would be in local only mode. IE Only able to read what the user can read off the local system. The second boolean would allow firefox to write to the users home dir. If you want to see something cool about this policy. Execute

links www.redhat.com

Will give you a failure to connect.

firefox www.redhat.com

will succeed.

  • 1

Log in