[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Mon Dec 10 15:40:42 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

Hash: SHA1

On 12/07/2012 06:49 PM, Gordon Messmer wrote:
> On 12/06/2012 06:05 PM, David McGuffey wrote:
>> Why isn't Firefox and Evolution confined with SELinux policy in a way 
>> that APT can't damage the rest of the system? Why are we not sandboxing 
>> these two apps with SELinux?
> Probably mostly because when you sandbox an X11 application, you can't copy
> and paste in or out of the application.  Most users want to do that. 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Yes when you wrap something in sandbox, you loose the ability for these
applications to communicate with the rest of the desktop.  In order to secure
the desktop in any real way you need to break communications, and this
communications break down, hurts usability.  I opt for security, and will just
run evince outside my session, if I really need copy/paste.  Maybe when we get
to Wayland, we can make this better.
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/