[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 7 11:49:40 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2012 09:05 PM, David McGuffey wrote:
> Moat of the advanced persistent threats (APT) are initiated via e-mail.
> Opening an attachment or clicking on a web link starts the process.
>
> Why isn't Firefox and Evolution confined with SELinux policy in a way that
> APT can't damage the rest of the system? Why are we not sandboxing these
> two apps with SELinux?
>
> I've discovered some guidance for sandboxing Firefox using the 'sandbox'
> command. Once I test it a bit, I'll post the results back here. Seems to
> me that if this works, it should be the default.
>
> DaveM
>
>
> _______________________________________________ CentOS mailing list
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>
Very difficult to sandbox thunderbird and firefox. But sandbox tool actually
works well for sandboxing viewers of downloaded data. I sandbox all content
that will be viewed by evince and libreoffice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDB19QACgkQrlYvE4MpobPbugCfZfbdFXIDLwSk1/hXvXaHvVDS
cPcAoOGg4eOtAPYVZvqcMmpB8fke1Q0d
=krFW
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list