Previous Entry Share Next Entry
Getting ready for Fedora 10
Fedora 10 and SELinux look good.  The only big problem I am aware of is around the confinement of nspluginwrapper.

As I stated in my previous blog, the battle between adding security and usability continues.  I decided to turn on the transition between the default user (unconfined_t) and nspluginwrapper (nsplugin_t), when running processes under firefox.  The beauty of this it that applications like flashplugin and other plugins that a user downloads over the network can be confined.  I wrote about this previously in

My goal with turning this on is to attempt to bring real security to the masses of people that don't modify their environment.  Sadly another package mozplugger is launching many desktop apps under nsplugin.  The idea I guess is to run evince, totem, openoffice within a tab when downloading the appropriate content.  Whether this is a good idea or not is debateable, but it is causing SELinux problems.

SELinux default policy does not allow users to run openoffice under nsplugin, since nsplugin is not allowed to write all over the users home directory, can't connect to dbus, and can't do a lot of other things openoffice wants to do.

If you find this problem, you have two choices.
  •   remove the mozplugger rpm
    • rpm -e mozplugger
    • or at least openoffice from /etc/mozpluggerrc
  • turn off SELinux protection over nsplugin.
    • # setsebool -P allow_unconfined_nsplugin_transition 0
Sadly from my point of view mozplugger is being installed by default.

  • 1
(Deleted comment)
Yes I believe so.

I don't think there is time to either fix mozplugger or SELinux before F10 ships, and I am not sure what the best fix should be. My opinion would be don't run openoffice within mozplugger, and don't install mozplugger by default. Others will disagree.

(Deleted comment)
No more likely mozplugger got added as the default late in the game. nsplugin transition has been in for the entire rawhide, and I did not start seeing these problems until very late in the release cycle.

So more likely is mozplugger developers are developing with SELinux disabled or permissive mode and have failed to submit bugs.

  • 1

Log in