On 04/10/2012 11:08 AM, drago01 wrote: > On Tue, Apr 10, 2012 at 4:29 PM, Paul Wouters <pwout...@redhat.com> wrote: >> On Tue, 10 Apr 2012, drago01 wrote: >> >>>> Wouldn't it be better to package Mozilla plugins in Fedora so that >>>> they are trusted? >>> >>> >>> rpm packages do not magically fix security issues. A vulnerability in a >>> plugin can be exploited by an attacker regardless how the plugin got >>> installed. (rpm or not). >> >> >> That's not true. SElinux could be used to restrict what a certain plugin >> could do when packages as rpm versus the SElinux properties of files in a >> users home directory. > > That's not true as well because plugins are libraries not binaries. You can > confine the binary (like we did with nspluginwrapper in the past) > regardless of where the plugin comes from.
Correct SELinux can only confine a process. If a process loads a shared library and is running unconfined_t, there is nothing we can do. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
