[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))




That was my understanding of SELinux.  You could run a crazy program
that has root privileges, is hackable, has no SELinux policy, and all
that effort was for nigh.
It goes more like:
- "I have a crazy program that has root privileges, is hackable, has no SELinux policy"
- "I'll write a selinux policy for it"
- "Now the program's still hackable, but at least it doesn't break anything else when it gets get hacked"

I'm not sure what you expect to happen - policy should write itself?

Programs without a policy run in a high privilege domain, because we still want those programs to work, even though nobody has written a policy for them. It's easy to restrict those programs to run in a low privilege domain. Then they wouldn't work at all, and you'd only be able to run confined programs - I doubt this is what you want.

Note that strict policy confines a lot more things that targeted does - it's meant to be used in a locked-down environment. (Unfortunately it seems broken at the moment, but I'm sure most of it will be fixed by FC5).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]