mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Luke Kenneth Casson Leighton]

instant crash - after about two seconds, so not a thing on-screen.

just in case anyone's curious about using mozilla with no read or write
access to user-home: at present (policy 1.12-3 or 4 and mozilla 0.9.2-3)
it don't work.

debian bugreport raised.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Erich Schubert]

Hi,

> just in case anyone's curious about using mozilla with no read or write
> access to user-home: at present (policy 1.12-3 or 4 and mozilla 0.9.2-3)
> it don't work.
> 
> debian bugreport raised.

Waste of time. I guess that any mozilla developer will tell you they do
need write access to their profile directory.
Furthermore using an ancient version of mozilla doesn't help either.
Even Debian "woody" (aka "stable") has mozilla 1.0.0 because of security
issues... If you want to have a secure system you should at least
upgrade to the most recent security update.

And don't expect applications to behave differently than what they were designed for.
Mozilla was designed to have a writeable profile directory for its cache, configuration data etc.
I bet the developers will just drop your bug report and tell you to write your own browser using the gecko engine...

Greetings,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
           There are only 10 types of people in the world:           //\
           Those who understand binary and those who don't           V_/_
  Gute Freunde sind wie Sterne in der Nacht. Auch wenn sie manchmal
       hinter den Wolken sind, weißt Du, sie sind für dich da.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Russell Coker]

On Wed, 18 Aug 2004 08:10, Erich Schubert <erich@debian.org> wrote:
> > just in case anyone's curious about using mozilla with no read or write
> > access to user-home: at present (policy 1.12-3 or 4 and mozilla 0.9.2-3)
> > it don't work.
> >
> > debian bugreport raised.
>
> Waste of time. I guess that any mozilla developer will tell you they do
> need write access to their profile directory.

Turning off read/write access to the main home directory does not stop access 
to the mozilla profile directory.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Stephen Smalley]

On Tue, 2004-08-17 at 18:10, Erich Schubert wrote:
> Waste of time. I guess that any mozilla developer will tell you they do
> need write access to their profile directory.
<snip>
> And don't expect applications to behave differently than what they were designed for.
> Mozilla was designed to have a writeable profile directory for its cache, configuration data etc.
> I bet the developers will just drop your bug report and tell you to write your own browser using the gecko engine...

The mozilla policy gives mozilla the ability to create and write its own
files.  The tunables just control whether it can read and/or write other
files in the user's home directory.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Luke Kenneth Casson Leighton]

On Wed, Aug 18, 2004 at 12:10:20AM +0200, Erich Schubert wrote:
> Hi,
> 
> > just in case anyone's curious about using mozilla with no read or write
> > access to user-home: at present (policy 1.12-3 or 4 and mozilla 0.9.2-3)
> > it don't work.
> > 
> > debian bugreport raised.
> 
> Waste of time. I guess that any mozilla developer will tell you they do
> need write access to their profile directory.

 i believe you may be misunderstanding.

 access to profile directory is fine: they can have write access
 to ~/.mozilla no problem, specifying some file contexts to
 allow that [a $1_mozilla_profile_t where $1=user/sysadm/staff/whatever
 which is placed on all files in ~/.mozilla]


 it's write access to home directories [file downloads, viruses,
 exploits, security holes etc] that should be banned via the
 tunable parameter mozilla_can_write.

 instead, not setting this parameter causes mozilla to go pear-shaped.



> Furthermore using an ancient version of mozilla doesn't help either.
> Even Debian "woody" (aka "stable") has mozilla 1.0.0 because of security
> issues... If you want to have a secure system you should at least
> upgrade to the most recent security update.
> 
> And don't expect applications to behave differently than what they were designed for.
> Mozilla was designed to have a writeable profile directory for its cache, configuration data etc.
> I bet the developers will just drop your bug report and tell you to write your own browser using the gecko engine...
 
  hah! 

 when i am rich and no longer infamous.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mozilla 0.9.3-2 crashing with tunables read and write homedir OFF

[Luke Kenneth Casson Leighton]

On Wed, Aug 18, 2004 at 08:23:02PM +1000, Russell Coker wrote:
> On Wed, 18 Aug 2004 08:10, Erich Schubert <erich@debian.org> wrote:
> > > just in case anyone's curious about using mozilla with no read or write
> > > access to user-home: at present (policy 1.12-3 or 4 and mozilla 0.9.2-3)
> > > it don't work.
> > >
> > > debian bugreport raised.
> >
> > Waste of time. I guess that any mozilla developer will tell you they do
> > need write access to their profile directory.
> 
> Turning off read/write access to the main home directory does not stop access 
> to the mozilla profile directory.
 
 it would appear that mozilla 0.9.2-3 is using fuser to test whether it
 can write to the user's home directory.

 the policy having been set to ban that access, fuser either crashes or
 returns an answer that causes mozilla to crash.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.