* Introducing SELinux Sanbox @ 2009-05-26 15:33 Daniel J Walsh 2009-05-26 17:12 ` Justin Mattock 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2009-05-26 15:33 UTC (permalink / raw) To: SE Linux For those who do not ordinarily read my blog. http://danwalsh.livejournal.com/28545.html -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Introducing SELinux Sanbox 2009-05-26 15:33 Introducing SELinux Sanbox Daniel J Walsh @ 2009-05-26 17:12 ` Justin Mattock 2009-05-26 18:04 ` Daniel J Walsh 0 siblings, 1 reply; 5+ messages in thread From: Justin Mattock @ 2009-05-26 17:12 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh <dwalsh@redhat.com> wrote: > For those who do not ordinarily read my blog. > > http://danwalsh.livejournal.com/28545.html > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov > with > the words "unsubscribe selinux" without quotes as the message. > hey, nice article. What are your thoughts about flashplayer? I myself enjoy watching T.V. through flash, although seeing all of the avc's generated does scare me a bit. even though the avc's are just {read, geattr, search, open} (looked into gnash, but compiling that from source requires quit a bit) If only flash could be as simple as watching T.V. through mplayer, which generates far less avc's. -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Introducing SELinux Sanbox 2009-05-26 17:12 ` Justin Mattock @ 2009-05-26 18:04 ` Daniel J Walsh 2009-05-26 18:52 ` Justin Mattock 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2009-05-26 18:04 UTC (permalink / raw) To: Justin Mattock; +Cc: SE Linux On 05/26/2009 01:12 PM, Justin Mattock wrote: > On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com> wrote: >> For those who do not ordinarily read my blog. >> >> http://danwalsh.livejournal.com/28545.html >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >> with >> the words "unsubscribe selinux" without quotes as the message. >> > > hey, nice article. > What are your thoughts about > flashplayer? > I myself enjoy watching T.V. through flash, > although seeing all of the avc's generated does scare me a bit. > even though the avc's are just {read, geattr, search, open} > (looked into gnash, but compiling that from source requires quit a bit) > > If only flash could be as simple as watching T.V. through mplayer, > which generates far less avc's. > Flash should work with nsplugin_t if you turn on the allow_unconfined_nsplugin_transition boolean You should not be seeing any avc's from this in F10/F11. You might need to fix the labeling in your homedir. restorecon -R -v ~/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Introducing SELinux Sanbox 2009-05-26 18:04 ` Daniel J Walsh @ 2009-05-26 18:52 ` Justin Mattock 2009-05-26 18:54 ` Daniel J Walsh 0 siblings, 1 reply; 5+ messages in thread From: Justin Mattock @ 2009-05-26 18:52 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Tue, May 26, 2009 at 11:04 AM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 05/26/2009 01:12 PM, Justin Mattock wrote: >> >> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com> wrote: >>> >>> For those who do not ordinarily read my blog. >>> >>> http://danwalsh.livejournal.com/28545.html >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>> with >>> the words "unsubscribe selinux" without quotes as the message. >>> >> >> hey, nice article. >> What are your thoughts about >> flashplayer? >> I myself enjoy watching T.V. through flash, >> although seeing all of the avc's generated does scare me a bit. >> even though the avc's are just {read, geattr, search, open} >> (looked into gnash, but compiling that from source requires quit a bit) >> >> If only flash could be as simple as watching T.V. through mplayer, >> which generates far less avc's. >> > Flash should work with nsplugin_t if you turn on the > allow_unconfined_nsplugin_transition > boolean > > You should not be seeing any avc's from this in F10/F11. You might need to > fix the labeling in your homedir. > > restorecon -R -v ~/ > > yeah I noticed F11 was setup nicely (you wouldn't even know there is a policy) over here I've a home brewed distro with just the bare essentials to run. The policy was fetched from svn a few days ago, firefox is the latest 3.5 beta 4(did compile a few months ago, but found it taking half the day to do so.) and then libflashplayer.so(with just the bare needs gtk+,pango,libpng,libcurl) located in /usr/lib/firefox/plugins. (probably should relocate to the home dir, and setup the restorecon daemon) As for the home directory, at the moment I setup namespace.so (but since I'm the only one using the machine probably doesn't make a difference). As for other plugins for firefox, I did have a chance to run nsplugin(but then with the latest system I just built decided to leave that out, as well as mozplugger, and any other plug-in except flash.) -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Introducing SELinux Sanbox 2009-05-26 18:52 ` Justin Mattock @ 2009-05-26 18:54 ` Daniel J Walsh 0 siblings, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2009-05-26 18:54 UTC (permalink / raw) To: Justin Mattock; +Cc: SE Linux On 05/26/2009 02:52 PM, Justin Mattock wrote: > On Tue, May 26, 2009 at 11:04 AM, Daniel J Walsh<dwalsh@redhat.com> wrote: >> On 05/26/2009 01:12 PM, Justin Mattock wrote: >>> On Tue, May 26, 2009 at 8:33 AM, Daniel J Walsh<dwalsh@redhat.com> wrote: >>>> For those who do not ordinarily read my blog. >>>> >>>> http://danwalsh.livejournal.com/28545.html >>>> >>>> >>>> -- >>>> This message was distributed to subscribers of the selinux mailing list. >>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>>> with >>>> the words "unsubscribe selinux" without quotes as the message. >>>> >>> hey, nice article. >>> What are your thoughts about >>> flashplayer? >>> I myself enjoy watching T.V. through flash, >>> although seeing all of the avc's generated does scare me a bit. >>> even though the avc's are just {read, geattr, search, open} >>> (looked into gnash, but compiling that from source requires quit a bit) >>> >>> If only flash could be as simple as watching T.V. through mplayer, >>> which generates far less avc's. >>> >> Flash should work with nsplugin_t if you turn on the >> allow_unconfined_nsplugin_transition >> boolean >> >> You should not be seeing any avc's from this in F10/F11. You might need to >> fix the labeling in your homedir. >> >> restorecon -R -v ~/ >> >> > > yeah I noticed F11 was setup nicely > (you wouldn't even know there is a policy) > > over here I've a home brewed distro > with just the bare essentials to run. > > The policy was fetched from svn a few days ago, > firefox is the latest 3.5 beta 4(did compile a few months > ago, but found it taking half the day to do so.) > and then libflashplayer.so(with just the bare needs > gtk+,pango,libpng,libcurl) located in /usr/lib/firefox/plugins. > (probably should relocate to the home dir, and setup the restorecon > daemon) > > As for the home directory, at the moment I setup namespace.so > (but since I'm the only one using the machine probably > doesn't make a difference). > > As for other plugins for firefox, I did have a chance to > run nsplugin(but then with the latest system I just built > decided to leave that out, as well as mozplugger, and any > other plug-in except flash.) > ok -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-05-26 19:00 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2009-05-26 15:33 Introducing SELinux Sanbox Daniel J Walsh 2009-05-26 17:12 ` Justin Mattock 2009-05-26 18:04 ` Daniel J Walsh 2009-05-26 18:52 ` Justin Mattock 2009-05-26 18:54 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.