From: Daniel J Walsh <dwalsh@redhat.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Introducing SELinux Sanbox
Date: Tue, 26 May 2009 14:54:17 -0400 [thread overview]
Message-ID: <4A1C3AD9.6020903@redhat.com> (raw)
In-Reply-To: <dd18b0c30905261152u6643c64eg205135e81fb69550@mail.gmail.com>
On 05/26/2009 02:52 PM, Justin Mattock wrote:
> On Tue, May 26, 2009 at 11:04 AM, Daniel J Walsh<dwalsh@redhat.com> wrote:
>> On 05/26/2009 01:12 PM, Justin Mattock wrote:
>>> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com> wrote:
>>>> For those who do not ordinarily read my blog.
>>>>
>>>> http://danwalsh.livejournal.com/28545.html
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>> hey, nice article.
>>> What are your thoughts about
>>> flashplayer?
>>> I myself enjoy watching T.V. through flash,
>>> although seeing all of the avc's generated does scare me a bit.
>>> even though the avc's are just {read, geattr, search, open}
>>> (looked into gnash, but compiling that from source requires quit a bit)
>>>
>>> If only flash could be as simple as watching T.V. through mplayer,
>>> which generates far less avc's.
>>>
>> Flash should work with nsplugin_t if you turn on the
>> allow_unconfined_nsplugin_transition
>> boolean
>>
>> You should not be seeing any avc's from this in F10/F11. You might need to
>> fix the labeling in your homedir.
>>
>> restorecon -R -v ~/
>>
>>
>
> yeah I noticed F11 was setup nicely
> (you wouldn't even know there is a policy)
>
> over here I've a home brewed distro
> with just the bare essentials to run.
>
> The policy was fetched from svn a few days ago,
> firefox is the latest 3.5 beta 4(did compile a few months
> ago, but found it taking half the day to do so.)
> and then libflashplayer.so(with just the bare needs
> gtk+,pango,libpng,libcurl) located in /usr/lib/firefox/plugins.
> (probably should relocate to the home dir, and setup the restorecon
> daemon)
>
> As for the home directory, at the moment I setup namespace.so
> (but since I'm the only one using the machine probably
> doesn't make a difference).
>
> As for other plugins for firefox, I did have a chance to
> run nsplugin(but then with the latest system I just built
> decided to leave that out, as well as mozplugger, and any
> other plug-in except flash.)
>
ok
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-05-26 18:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-26 15:33 Introducing SELinux Sanbox Daniel J Walsh
2009-05-26 17:12 ` Justin Mattock
2009-05-26 18:04 ` Daniel J Walsh
2009-05-26 18:52 ` Justin Mattock
2009-05-26 18:54 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1C3AD9.6020903@redhat.com \
--to=dwalsh@redhat.com \
--cc=justinmattock@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.