[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))



On Fri, Feb 24, 2006 at 12:45:17 +0100,
  Ralf Ertzinger <fedora camperquake de> wrote:
> Hi.
> 
> On Fri, 24 Feb 2006 06:42:45 -0500, Benjy Grogan wrote:
> 
> > That was my understanding of SELinux.  You could run a crazy program
> > that has root privileges, is hackable, has no SELinux policy, and all
> > that effort was for nigh.
> 
> I think this is a question of policy. The "targeted" policy does
> what you describe, it just confines specific applications. You are
> free to use the reverse approach, though.

And 'targetted' still buys you a lot. Not all programs are used the same way
and some will be a lot more likely to be a way in to your system then
others.
For 'targetted', internet facing daemons have had restrictive policies
written for them. These are one set of high risk programs. Another set,
that I don't believe has gotten much coverage, are end users programs
used to view data that typically comes from outside sources. This should
include such things as web browsers, mail clients, editors, pdf viewers,
and music and/or video players.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]