[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: A Modest Suggestion to make SElinux usable.

From: Kevin Kofler <kevin kofler chello at>
To: fedora-test-list redhat com
Subject: Re: A Modest Suggestion to make SElinux usable.
Date: Mon, 01 Jun 2009 16:25:46 +0200

max wrote:
> SELinux needs a lot of things but an allow button is not one of them. A
> better idea would be to use the recently created sandbox feature instead,
> offering to run the application in a generic sandbox, this way it may run
> without incident but you can be reasonably sure it isn't grossly violating
> policy.
> 
> Of course the sandbox doesn't support X apps yet so it may or may not work
> but its better than just allowing according to setroubleshoot. Really RPM
> (package kit or whatever) should sandbox all applications upon
> installation that do not have policy in place or at least offer the option
> but undoubtedly people would complain about that feature.

SELinux is already too restrictive, making it even more restrictive isn't
going to fix that problem.

That said, I don't see the usefulness of a framework exclusively designed to
forbid things at all. It's always going to be in your way and it's never
going to add an actual feature to your system.

        Kevin Kofler

Follow-Ups:
- Re: A Modest Suggestion to make SElinux usable.
  - From: drago01

References:
- Re: A Modest Suggestion to make SElinux usable.
  - From: max

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]