[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Fri Dec 7 22:05:24 UTC 2012
Rob Townley <rob.townley at gmail.com>

Let us know how it goes.  i thought i followed one of Daniel Walsh's blog
posts to sandbox firefox and don't remember it being that bad, but that was
well over a year ago.  Since he maintained selinux for RedHat for a number
of years, ... he probably knows what he is talking about. He was always on
top of selinux reported bugs.


You may want to check out Qubes-OS.  Qubes-OS is based on Fedora by the
creator of bluepill guestOS to hypervisor code.

On Thu, Dec 6, 2012 at 8:05 PM, David McGuffey <davidmcguffey at verizon.net>wrote:

> Moat of the advanced persistent threats (APT) are initiated via e-mail.
> Opening an attachment or clicking on a web link starts the process.
>
> Why isn't Firefox and Evolution confined with SELinux policy in a way
> that APT can't damage the rest of the system? Why are we not sandboxing
> these two apps with SELinux?
>
> I've discovered some guidance for sandboxing Firefox using the 'sandbox'
> command.  Once I test it a bit, I'll post the results back here.  Seems
> to me that if this works, it should be the default.
>
> DaveM
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>