As there seems to be serious security flaws in Firefox now almost weekly, and Firefox is at least few days always vulnerable before the fix comes, because it takes time to get packaged and updated by a automatic package installer, how to use SELinux (in Fedora 10) to restrict Firefox's process/program to access any other files and directories it absolutely needs?

Is there some easy way to do it?

Like forbidding first everything, then trying running Firefox, then using audit2allow to pinch as tiny holes as possible to let it function.

I am looking step by step instructions or somehow to do it as easy as it would be done with AppArmor

Linux isn't windows, if you're running as a non-priv'd user you don't have a high level of risk as even if something was written to exploit firefox on linux on a given distribution it wouldn't be able to do anything your user isn't able to do.

Like being one of the bots in the huge bot-network?

There is reasons why Java-applets also are not allowed to read just any data file and send it to anywhere.

Also every user may have private files (photos, diaries, calendar-data, addressbook, ....) which (s)he wouldn't like to be leaked out.

One option is to use chroot-jailed firefox, but it needs then more RAM memory. Also I kind of want to challenge SELinux, is it usable at all or is it just too difficult for a normal sysadmin?

If it's not running under a privileged account and it's running as you, getting rid of it is as easy as deleting it and removing the file. This isn't like windows where some script kiddies file getting access to any account on the system immediately means the machine becomes part of some huge botnet and becomes a horrible mess to disinfect. rm file, kill -9 process, check netstat, check user login scripts.

A root level system breach is a wholly different story.

Again, this isn't windows. Mountain, molehill. The level of "attack" you seem to be formulating in your head is a directed attack not a scripted attack you typically see for exploiting browsers... and if someone is willing to spend that kinda time to attack you directly then you've got more serious concerns than if your browser has a few security holes... because they *are* going to get into your system... or just steal it.

Don't get me wrong, good security is very very important. Using selinux, chroot jails, etc... are all admirable things. However, in this case, a browser exploit in linux compared to windows unless it is targeted specifically at you (eg they know what software you're using, what desktop, etc) is pretty low risk.

Are you saying that even if say a heap-based buffer overflow existed in Firefox, then tricking it into some nice arbitrary code execution that "it wouldn't be able to do anything your user isn't able to do"?

I disagree.
For example someone could have now an exploit code embedded in this linuxquestions.org and everyone visiting here with a Firefox 3.0.7 or earlier would become a part of a botnet. Or all visited users' files (the files the user has access in his/her host) would be stolen just to look if there would be something interesting.

There does not need to be someone willing to attack me directly, but just anyone or mass of people.


These kind of bugs have been pretty frequent in Firefox lately:
(03.26.09) CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability

So with SELinux, I would want to forbid Firefox process to access any other files or directories in my home direcory (or user's home directories) but $HOME/.mozilla/, /tmp/, and $HOME/Download/
And would want those restrictions to stay even when Firefox is automatically updated by a distribution package updater.

(edit: added later)
To be more precise, write access allowed only to ~/.mozilla/, /tmp/, and ~/Download/
AND,read access only to those resource files and library files Firefox needs in the host's root directory, nothing else.

Also, say, Firefox heap-based overflow exploit would run something like "...;echo (WHATEVER) > /tmp/file;crontab /tmp/file", it would not work because Firefox's process and its children are not allowed to read /usr/bin/echo nor /usr/bin/crontab and so on.

You're still talking about a directed attack, this isn't script kiddie stuff which make up 99% of web exploits and botnet crap the original poster seems to be afraid of. If you're talking about a directed attack there are far easier avenues of entry and access. My opinion is this: This particular case is an example of spending far to much effort on fixing a miniscle problem. The effort could better be spent in many other areas. There are cases where such effort is warranted, based on currently available information this isn't one of them.

No, way more generic. I'm pointing at you using the UNIX privilege separation concept as main argument. While there's nothing wrong with that, buffer overflows exist, and have existed in Firefox. So that problem is realistic but did not get mentioned here. Your opinion being noted (but apart from it just being your opinion and not even remotely contributing to help solve the OP's questions) DAC rights don't shield against that kind of vulnerability. SE Linux does. Even for processes running in unconfined_t SE Linux does memory checks, and those processes may not allocate writeable memory and execute it. So while DAC rights are a start they definately are not the only usable and combat-proven layer of protection one could have.

To the OP: two things that come to mind would be looking at F10's SE Linux xguest addition or TOMOYO (path-based) which (hurrah) will be (partially) in the next kernel release 2.6.30. If you're willing to experiment: TOMOYO will run alongside of SE Linux w/o problems, has an english-spoken user mailing list (the devs being Japanese) and just needs a kernel recompile and a wee bit of userland apps.

1 members found this post helpful.

personally i would not worry about it .
Running as a normal user ( and NOT as root) with SE set to enforcing ,and everything up to date .For a automated script to be able to install something let alone be able to do anything in your home folder ( yes there are some things that can be done ) would be like hitting the " mega millions jackpot for $30,000,000 + . it could happen but not likely .

Now if a hacker/cracker is after you and trying to get in to your system then there really NOTHING you can do about it . They WILL get in .

I just don't get it. The OP has a simple, legitimate question. He isn't asking for opinions, and there's nothing in the OP that warrants talking about Wndws, botnets, crackers or automated scripts...

2 members found this post helpful.

ok one thing you can do to lock down flash to link ".macromedia/Flash_Player/#SharedObjects " to /dev/nul
but as to killing a bunch of firefox in a attempt to keep ALL and everything out is just not worth the effort

a better use of time would be to install and configure No-Script and add block plus

Better late than never: try running it in an SELinux sandbox.

http://www.linux.com/learn/tutorials...s-with-selinux

1 members found this post helpful.