Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
On Mon, Dec 10, 2012 at 9:40 AM, Daniel J Walsh dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2012 06:49 PM, Gordon Messmer wrote: On 12/06/2012 06:05 PM, David McGuffey wrote: Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? Probably mostly because when you sandbox an X11 application, you can't copy and paste in or out of the application. Most users want to do that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Yes when you wrap something in sandbox, you loose the ability for these applications to communicate with the rest of the desktop. In order to secure the desktop in any real way you need to break communications, and this communications break down, hurts usability. I opt for security, and will just run evince outside my session, if I really need copy/paste. Maybe when we get to Wayland, we can make this better. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDGAnoACgkQrlYvE4MpobPYnQCfct1/1mnGEF7JxYd06ba/00hz qRgAoOQYZjU6ZvoaIk4a2gn9uKjBxsqH =Z6ei -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos When i tried sandboxing firefox on CentOS 6.4, it says i need seunshare, but yum search all seunshare results in nothing. /usr/sbin/seunshare is required for the action you want to perform. Widening the search to selinux and installing a bunch of packages, and then running: $ rpm -qf /usr/sbin/seunshare policycoreutils-sandbox-2.0.83-19.30.el6.x86_64 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2012 04:59 PM, Rob Townley wrote: Daniel, Can the Firefox profile file hierarchy be sandboxed? So everything downloaded within the profile cache is sandboxed. More like if any application accesses something in a particular folder, sandboxing automatically kicks in. You would need to setup something separately to do this. Sandboxing tool is by user choice. For example in firefox/thunderbird I can specify that any time it downloads content, firefox/thunderbird will run a command to view that content. rather then use evince or ooffice, I have them run sandboxevince and sandboxooffice, which are simple shell scripts wrapping sandbox command. cat ~/bin/sandboxevince #!/bin/sh /usr/bin/sandbox -X /usr/bin/evince $@ cat ~/bin/sandboxooffice #!/bin/sh /usr/bin/sandbox -w 1400x750 -X ooffice $@ You can run your entire firefox session within a sandbox. Here is how I do this. cat ~/bin/sandboxfirefox sandbox -i ~/.mozilla -X -t sandbox_web_t -W metacity -w 1000x900 firefox $* Now getting apps to run sandbox when looking at certain content is something you would need to figure out. On Fri, Dec 7, 2012 at 5:49 AM, Daniel J Walsh dwa...@redhat.com wrote: On 12/06/2012 09:05 PM, David McGuffey wrote: Moat of the advanced persistent threats (APT) are initiated via e-mail. Opening an attachment or clicking on a web link starts the process. Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? I've discovered some guidance for sandboxing Firefox using the 'sandbox' command. Once I test it a bit, I'll post the results back here. Seems to me that if this works, it should be the default. DaveM ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Very difficult to sandbox thunderbird and firefox. But sandbox tool actually works well for sandboxing viewers of downloaded data. I sandbox all content that will be viewed by evince and libreoffice. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDGAdcACgkQrlYvE4MpobNnTACgotqePhY2NY03GEZitDU2job7 Ia0An3YijmST+kuUxxLDPRsBhTzmEM0c =k1X2 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2012 06:49 PM, Gordon Messmer wrote: On 12/06/2012 06:05 PM, David McGuffey wrote: Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? Probably mostly because when you sandbox an X11 application, you can't copy and paste in or out of the application. Most users want to do that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Yes when you wrap something in sandbox, you loose the ability for these applications to communicate with the rest of the desktop. In order to secure the desktop in any real way you need to break communications, and this communications break down, hurts usability. I opt for security, and will just run evince outside my session, if I really need copy/paste. Maybe when we get to Wayland, we can make this better. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDGAnoACgkQrlYvE4MpobPYnQCfct1/1mnGEF7JxYd06ba/00hz qRgAoOQYZjU6ZvoaIk4a2gn9uKjBxsqH =Z6ei -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/2012 09:05 PM, David McGuffey wrote: Moat of the advanced persistent threats (APT) are initiated via e-mail. Opening an attachment or clicking on a web link starts the process. Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? I've discovered some guidance for sandboxing Firefox using the 'sandbox' command. Once I test it a bit, I'll post the results back here. Seems to me that if this works, it should be the default. DaveM ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Very difficult to sandbox thunderbird and firefox. But sandbox tool actually works well for sandboxing viewers of downloaded data. I sandbox all content that will be viewed by evince and libreoffice. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDB19QACgkQrlYvE4MpobPbugCfZfbdFXIDLwSk1/hXvXaHvVDS cPcAoOGg4eOtAPYVZvqcMmpB8fke1Q0d =krFW -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Daniel, Can the Firefox profile file hierarchy be sandboxed? So everything downloaded within the profile cache is sandboxed. More like if any application accesses something in a particular folder, sandboxing automatically kicks in. On Fri, Dec 7, 2012 at 5:49 AM, Daniel J Walsh dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/2012 09:05 PM, David McGuffey wrote: Moat of the advanced persistent threats (APT) are initiated via e-mail. Opening an attachment or clicking on a web link starts the process. Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? I've discovered some guidance for sandboxing Firefox using the 'sandbox' command. Once I test it a bit, I'll post the results back here. Seems to me that if this works, it should be the default. DaveM ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Very difficult to sandbox thunderbird and firefox. But sandbox tool actually works well for sandboxing viewers of downloaded data. I sandbox all content that will be viewed by evince and libreoffice. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDB19QACgkQrlYvE4MpobPbugCfZfbdFXIDLwSk1/hXvXaHvVDS cPcAoOGg4eOtAPYVZvqcMmpB8fke1Q0d =krFW -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Let us know how it goes. i thought i followed one of Daniel Walsh's blog posts to sandbox firefox and don't remember it being that bad, but that was well over a year ago. Since he maintained selinux for RedHat for a number of years, ... he probably knows what he is talking about. He was always on top of selinux reported bugs. You may want to check out Qubes-OS. Qubes-OS is based on Fedora by the creator of bluepill guestOS to hypervisor code. On Thu, Dec 6, 2012 at 8:05 PM, David McGuffey davidmcguf...@verizon.netwrote: Moat of the advanced persistent threats (APT) are initiated via e-mail. Opening an attachment or clicking on a web link starts the process. Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? I've discovered some guidance for sandboxing Firefox using the 'sandbox' command. Once I test it a bit, I'll post the results back here. Seems to me that if this works, it should be the default. DaveM ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
On 12/06/2012 06:05 PM, David McGuffey wrote: Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? Probably mostly because when you sandbox an X11 application, you can't copy and paste in or out of the application. Most users want to do that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
