[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Thu Mar 21 00:09:27 UTC 2013
Rob Townley <rob.townley at gmail.com>

On Mon, Dec 10, 2012 at 9:40 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Hash: SHA1
> On 12/07/2012 06:49 PM, Gordon Messmer wrote:
>> On 12/06/2012 06:05 PM, David McGuffey wrote:
>>> Why isn't Firefox and Evolution confined with SELinux policy in a way
>>> that APT can't damage the rest of the system? Why are we not sandboxing
>>> these two apps with SELinux?
>> Probably mostly because when you sandbox an X11 application, you can't copy
>> and paste in or out of the application.  Most users want to do that.
>> _______________________________________________ CentOS mailing list
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> Yes when you wrap something in sandbox, you loose the ability for these
> applications to communicate with the rest of the desktop.  In order to secure
> the desktop in any real way you need to break communications, and this
> communications break down, hurts usability.  I opt for security, and will just
> run evince outside my session, if I really need copy/paste.  Maybe when we get
> to Wayland, we can make this better.
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> iEYEARECAAYFAlDGAnoACgkQrlYvE4MpobPYnQCfct1/1mnGEF7JxYd06ba/00hz
> qRgAoOQYZjU6ZvoaIk4a2gn9uKjBxsqH
> =Z6ei
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

When i tried sandboxing firefox on CentOS 6.4, it says i need
seunshare, but yum search all seunshare results in nothing.

"/usr/sbin/seunshare is required for the action you want to perform."

Widening the search to selinux and installing a bunch of packages, and
then running:
$ rpm -qf /usr/sbin/seunshare