Closed pgera closed 8 years ago
selinux support?
What kind of support? As far as I know, there are "forbidden by default" policies in SELinux, and one must explicitly allow various capabilities.
why it's being denied
From "syscall=mmap" I can guess, mmap
syscall was the reason.
I think this is because when you install the plugin under user's home, it get's the context Target Context system_u:object_r:nfs_t:s0. However, if you look at the plugins under /usr/lib64/mozilla/plugins, they have a context of system_u:object_r:lib_t:s0. And a transition to the former is denied. I confirmed that if I place the file under /usr/lib64/mozilla/plugins, it doesn't get denied.
I'm not sure what this means from a general security standpoint though, given that flash is extremely insecure. There is no sandboxing like in chrome, but can selinux make it any more secure ?
but can selinux make it any more secure
Yeah, sure. Deny everything by default and allow only those parts that are required.
For example, you could deny free filesystem access. Freshplayerplugin requires files in ~/.config/freshwrapper-data/
to be accessible for reading and writing, but doesn't need to be able to read or write anywhere else. It may require reading and writing if you use swf's that open files, but you can limit it to ~/Uploads
, for example. Same for other bits. It's the same as for any other application.
I believe hardening policies are tightly coupled with the way a particular distribution is organized. So it's not feasible to even try to create security profiles in project code itself.
Tried running this on RHEL 7, and it gets denied by selinux. Here's the log:
Before I do setsebool -P unconfined_mozilla_plugin_transition 0, I would like to know why it's being denied, and whether it's safe to set that bool to 0.