Why we do confine Firefox
by Sven Vermeulen, post on Tue 11 August 2015If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.
Gentoo metadata support for CPE
by Sven Vermeulen, post on Fri 10 May 2013Recently, the metadata.xml
file syntax definition (the DTD for those
that know a bit of XML) has been updated to support CPE definitions. A
CPE (Common Platform Enumeration) is an
identifier that
describes an
application, operating system or hardware device using its vendor,
product name, version, update, edition and …