[refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dominick.grift@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
Date: Thu, 19 Sep 2013 09:59:22 +0200	[thread overview]
Message-ID: <1379577562.16771.30.camel@d30> (raw)
In-Reply-To: <523AA6C3.5000105@ping.de>

On Thu, 2013-09-19 at 09:24 +0200, Andreas Kuckartz wrote:
> Dominick Grift:
> >> you can allow the execmem issue with audit2allow
> > 
> > err .... there actually is probably a boolean that you can toggle to
> > allow it:
> > 
> > allow_execmem
> > allow_execstack
> > 
> 
> This is suggested by audit2allow:
> 
> -----
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using one of the these booleans:
> #     allow_execstack, allow_execmem
> 
> allow unconfined_t self:process execmem;
> -----
> 
> I really hesitate to accept this as a safe resolution of the issue.
> Hopefully Mozilla will improve Firefox...

You're running as unconfined_t , which is a domain basically designed to
be exempt from selinux enforcement.

SELinux framework is a very flexible/configurable and you can set it up
to enforce almost anything you want. So whatever you have in mind, it
you want it; go and get it. Like many of us do.

Ive confined basic desktop sessions (actually various times) I actually
recorded the whole process of my latest endeavor and put it on your tube
( it is a 100 plus hours worth of screencast ) (youtube.com/domg4721)

As for perfect coverage of a basic systems. Yes in a perfect world
maybe. Not this world unfortunately. Besides Debian has no active
selinux maintainers. Things been stale for quite a while there now.

Want to take on the challenge of maintaining SELinux in Debian?

> 
> Cheers,
> Andreas

next prev parent reply	other threads:[~2013-09-19  7:59 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <52384CD9.60604@ping.de>
2013-09-18 13:47 ` [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel Andreas Kuckartz
2013-09-18 19:40   ` Dominick Grift
2013-09-19  7:39     ` Andreas Kuckartz
2013-09-19 12:53       ` Mika Pflüger
2013-09-18 19:54   ` Dominick Grift
2013-09-18 20:10     ` Dominick Grift
2013-09-19  7:24       ` Andreas Kuckartz
2013-09-19  7:59         ` Dominick Grift [this message]
2013-09-19  9:07           ` Andreas Kuckartz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1379577562.16771.30.camel@d30 \
    --to=dominick.grift@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.