• 1

Confining firefox

Dan, is this stuff in rawhide tree only? I am seeing the following on F8 machine (firefox-, nspluginwrapper-, selinux-policy-3.0.8-73.fc8):


SELinux is preventing /usr/lib/firefox- from creating a file with a context of unlabeled_t on a filesystem.

AVC raw message:

avc: denied { associate } for comm=firefox-bin egid=500 euid=500 exe=/usr/lib/firefox- exit=41 fsgid=500 fsuid=500 gid=500 items=0 name=D94F22FEd01 pid=2818 scontext=system_u:object_r:unlabeled_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=filesystem tcontext=system_u:object_r:fs_t:s0 tty=(none) uid=500

I just did the suggested fix on my ~/ to see how this affects the confinement. I suppose bz is not needed?

Regards, Vladimir

Re: Confining firefox

Rawhide only.

What kind of filesystem do you have? Open a bugzilla if this continues. Might be a file system that SELinux does not know about.

Is this on the F9 feature list?

Nice work.

I looked, but couldn't see this on the F9 feature list here:

Would be nice to add, to help with the marketing team, getting in the release notes etc etc. Talk to poelstra IIRC

Confining the browser

I ran restorecon -R -v ~/ and earlier set the boolean via the SELinux Administration GUI. There are a lot of error messages in the troubleshooter logged. I would rather have undesirable items blocked than have vulnerabilities which could potentially invade my privacy or set me up as some proxy for distributing unknowingly some other bad content around the website. I do want my grandkids to not feel that nothing works in Linux and be compelled to use Windows where their kid oriented websites fail though. I think that the efforts to start securing the desktop are very important. Thanks for the work on getting this to be a reality.
Recently using Windows, one website about took down the system when going to a technically related information website found by a web search engine. The AV programs caught this but should have not allowed such a potential compromise from being possible. I hope SELinux prevents such potential infiltration within the Linux environment.

There is a policy for running mozilla under a different domain. But it really is not as much of a confinement as you might think.

The only domain that is currently using it is xguest_u. This is the only way the xguest user account can use the network. If the xguest user tries to connect out anyother way, it will be denied.

Writing policy to confine mozilla/firefox is very difficult since almost everyone wants it to be able to do everything. People want it to be able to download to any directory and upload from any directory. They want it to be able to execute helper apps like evince and openoffice.

If I confined firefox (firefox_t) to not be able to write to anywhere except ~/Download and only able to read from ~/Upload, that might be a step forward,except when it comes to running openoffice. If I download a file from firefox_t executes openoffice it would stay running in the context of firefox_t

Well if a user went to edit a different file in openoffice he would be supprised when it could not be read or saved in other directories. If he killed openoffice and restarted it from the panel it would run under unconfiened_t or user_t and would be able to do what he wants. Very confusing.

Currently in F9 and F10 we have the ability to confine nsplugin as described in the blog, and this at least allows you to confine random download executables running in firefox.

Hello Dan,

There is no way that I can write a policy confining Firefox to read or rather write to a specific directory. For eg. allowing user to list/read files in the home dir rather than giving him full privileges:

Minimal priviliges:

allow firefox_t admin_home_t:dir { search };
allow firefox_t admin_home_t:file { read };

Full Privileges:

allow firefox_t admin_home_t:dir { write remove_name getattr read add_name };
allow firefox_t admin_home_t:file { rename lock create getattr write ioctl unlink append };

Please clarify.


Yes you can, although it looks like you are writing policy for the /root directory? Not a good idea to run firefox as root.

But you can label particular directories like .mozilla as being firefox_home_t and have a rule like

manage_dirs_pattern(firefox_t, firefox_home_t, firefox_home_t)
manage_files_pattern(firefox_t, firefox_home_t, firefox_home_t)

list_dirs_pattern(firefox_t, user_home_dir_t, user_home_dir_t)
list_dirs_pattern(firefox_t, user_home_t, user_home_t)
read_files_pattern(firefox_t, user_home_t, user_home_t)

  • 1

Log in