[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Fri Dec 7 02:05:00 UTC 2012
David McGuffey <davidmcguffey at verizon.net>

Moat of the advanced persistent threats (APT) are initiated via e-mail.
Opening an attachment or clicking on a web link starts the process.

Why isn't Firefox and Evolution confined with SELinux policy in a way
that APT can't damage the rest of the system? Why are we not sandboxing
these two apps with SELinux?

I've discovered some guidance for sandboxing Firefox using the 'sandbox'
command.  Once I test it a bit, I'll post the results back here.  Seems
to me that if this works, it should be the default.