Introducing SELinux Sanbox

Introducing SELinux Sanbox

[Daniel J Walsh]

For those who do not ordinarily read my blog.

http://danwalsh.livejournal.com/28545.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Introducing SELinux Sanbox

[Justin Mattock]

On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> For those who do not ordinarily read my blog.
>
> http://danwalsh.livejournal.com/28545.html
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>

hey, nice article.
What are your thoughts about
flashplayer?
I myself enjoy watching T.V. through flash,
although seeing all of the avc's generated does scare me a bit.
even though the avc's are just {read, geattr, search, open}
(looked into gnash, but compiling that from source requires quit a bit)

If only flash could be as simple as watching T.V. through mplayer,
which generates far less avc's.

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Introducing SELinux Sanbox

[Daniel J Walsh]

On 05/26/2009 01:12 PM, Justin Mattock wrote:
> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com>  wrote:
>> For those who do not ordinarily read my blog.
>>
>> http://danwalsh.livejournal.com/28545.html
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> hey, nice article.
> What are your thoughts about
> flashplayer?
> I myself enjoy watching T.V. through flash,
> although seeing all of the avc's generated does scare me a bit.
> even though the avc's are just {read, geattr, search, open}
> (looked into gnash, but compiling that from source requires quit a bit)
>
> If only flash could be as simple as watching T.V. through mplayer,
> which generates far less avc's.
>
Flash should work with nsplugin_t if you turn on the
allow_unconfined_nsplugin_transition
boolean

You should not be seeing any avc's from this in F10/F11.  You might need 
to fix the labeling in your homedir.

restorecon -R -v ~/


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Introducing SELinux Sanbox

[Justin Mattock]

On Tue, May 26, 2009 at 11:04 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 05/26/2009 01:12 PM, Justin Mattock wrote:
>>
>> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com>  wrote:
>>>
>>> For those who do not ordinarily read my blog.
>>>
>>> http://danwalsh.livejournal.com/28545.html
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>> hey, nice article.
>> What are your thoughts about
>> flashplayer?
>> I myself enjoy watching T.V. through flash,
>> although seeing all of the avc's generated does scare me a bit.
>> even though the avc's are just {read, geattr, search, open}
>> (looked into gnash, but compiling that from source requires quit a bit)
>>
>> If only flash could be as simple as watching T.V. through mplayer,
>> which generates far less avc's.
>>
> Flash should work with nsplugin_t if you turn on the
> allow_unconfined_nsplugin_transition
> boolean
>
> You should not be seeing any avc's from this in F10/F11.  You might need to
> fix the labeling in your homedir.
>
> restorecon -R -v ~/
>
>

yeah I noticed F11 was setup nicely
(you wouldn't even know there is a policy)

over here I've a home brewed distro
with just the bare essentials to run.

The policy was fetched from svn a few days ago,
firefox is the latest 3.5 beta 4(did compile a few months
ago, but found it taking half the day to do so.)
and then libflashplayer.so(with just the bare needs
gtk+,pango,libpng,libcurl) located in /usr/lib/firefox/plugins.
(probably should relocate to the home dir, and setup the restorecon
daemon)

As for the home directory, at the moment I setup namespace.so
(but since I'm the only one using the machine probably
doesn't make a difference).

As for other plugins for firefox, I did have a chance to
run nsplugin(but then with the latest system I just built
decided to leave that out, as well as mozplugger, and any
other plug-in except flash.)

-- 
Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Introducing SELinux Sanbox

[Daniel J Walsh]

On 05/26/2009 02:52 PM, Justin Mattock wrote:
> On Tue, May 26, 2009 at 11:04 AM, Daniel J Walsh<dwalsh@redhat.com>  wrote:
>> On 05/26/2009 01:12 PM, Justin Mattock wrote:
>>> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com>    wrote:
>>>> For those who do not ordinarily read my blog.
>>>>
>>>> http://danwalsh.livejournal.com/28545.html
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>> hey, nice article.
>>> What are your thoughts about
>>> flashplayer?
>>> I myself enjoy watching T.V. through flash,
>>> although seeing all of the avc's generated does scare me a bit.
>>> even though the avc's are just {read, geattr, search, open}
>>> (looked into gnash, but compiling that from source requires quit a bit)
>>>
>>> If only flash could be as simple as watching T.V. through mplayer,
>>> which generates far less avc's.
>>>
>> Flash should work with nsplugin_t if you turn on the
>> allow_unconfined_nsplugin_transition
>> boolean
>>
>> You should not be seeing any avc's from this in F10/F11.  You might need to
>> fix the labeling in your homedir.
>>
>> restorecon -R -v ~/
>>
>>
>
> yeah I noticed F11 was setup nicely
> (you wouldn't even know there is a policy)
>
> over here I've a home brewed distro
> with just the bare essentials to run.
>
> The policy was fetched from svn a few days ago,
> firefox is the latest 3.5 beta 4(did compile a few months
> ago, but found it taking half the day to do so.)
> and then libflashplayer.so(with just the bare needs
> gtk+,pango,libpng,libcurl) located in /usr/lib/firefox/plugins.
> (probably should relocate to the home dir, and setup the restorecon
> daemon)
>
> As for the home directory, at the moment I setup namespace.so
> (but since I'm the only one using the machine probably
> doesn't make a difference).
>
> As for other plugins for firefox, I did have a chance to
> run nsplugin(but then with the latest system I just built
> decided to leave that out, as well as mozplugger, and any
> other plug-in except flash.)
>
ok

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.