danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Getting ready for Fedora 10
danwalsh
Fedora 10 and SELinux look good.  The only big problem I am aware of is around the confinement of nspluginwrapper.

As I stated in my previous blog, the battle between adding security and usability continues.  I decided to turn on the transition between the default user (unconfined_t) and nspluginwrapper (nsplugin_t), when running processes under firefox.  The beauty of this it that applications like flashplugin and other plugins that a user downloads over the network can be confined.  I wrote about this previously in

http://danwalsh.livejournal.com/15700.html

My goal with turning this on is to attempt to bring real security to the masses of people that don't modify their environment.  Sadly another package mozplugger is launching many desktop apps under nsplugin.  The idea I guess is to run evince, totem, openoffice within a tab when downloading the appropriate content.  Whether this is a good idea or not is debateable, but it is causing SELinux problems.

SELinux default policy does not allow users to run openoffice under nsplugin, since nsplugin is not allowed to write all over the users home directory, can't connect to dbus, and can't do a lot of other things openoffice wants to do.

If you find this problem, you have two choices.
  •   remove the mozplugger rpm
    • rpm -e mozplugger
    • or at least openoffice from /etc/mozpluggerrc
       
  • turn off SELinux protection over nsplugin.
    • # setsebool -P allow_unconfined_nsplugin_transition 0
Sadly from my point of view mozplugger is being installed by default.


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh