Getting ready for Fedora 10
Fedora 10 and SELinux look good. The only big problem I am aware of is around the confinement of nspluginwrapper.
As I stated in my previous blog, the battle between adding security and usability continues. I decided to turn on the transition between the default user (unconfined_t) and nspluginwrapper (nsplugin_t), when running processes under firefox. The beauty of this it that applications like flashplugin and other plugins that a user downloads over the network can be confined. I wrote about this previously in
http://danwalsh.livejournal.com/15700.html
My goal with turning this on is to attempt to bring real security to the masses of people that don't modify their environment. Sadly another package mozplugger is launching many desktop apps under nsplugin. The idea I guess is to run evince, totem, openoffice within a tab when downloading the appropriate content. Whether this is a good idea or not is debateable, but it is causing SELinux problems.
SELinux default policy does not allow users to run openoffice under nsplugin, since nsplugin is not allowed to write all over the users home directory, can't connect to dbus, and can't do a lot of other things openoffice wants to do.
If you find this problem, you have two choices.
As I stated in my previous blog, the battle between adding security and usability continues. I decided to turn on the transition between the default user (unconfined_t) and nspluginwrapper (nsplugin_t), when running processes under firefox. The beauty of this it that applications like flashplugin and other plugins that a user downloads over the network can be confined. I wrote about this previously in
http://danwalsh.livejournal.com/15700.html
My goal with turning this on is to attempt to bring real security to the masses of people that don't modify their environment. Sadly another package mozplugger is launching many desktop apps under nsplugin. The idea I guess is to run evince, totem, openoffice within a tab when downloading the appropriate content. Whether this is a good idea or not is debateable, but it is causing SELinux problems.
SELinux default policy does not allow users to run openoffice under nsplugin, since nsplugin is not allowed to write all over the users home directory, can't connect to dbus, and can't do a lot of other things openoffice wants to do.
If you find this problem, you have two choices.
- remove the mozplugger rpm
- rpm -e mozplugger
- or at least openoffice from /etc/mozpluggerrc
- turn off SELinux protection over nsplugin.
- # setsebool -P allow_unconfined_nsplugin_transition 0