en-US/Revision_History.xml en-US/Security.xml
John J. McDonough
jjmcd at fedoraproject.org
Mon Nov 9 19:46:46 UTC 2009
en-US/Revision_History.xml | 3 +++
en-US/Security.xml | 25 +++++++++++++++++++++++++
2 files changed, 28 insertions(+)
New commits:
commit 392e7abaeb8a01305068615c24d679797ff93523
Author: John J. McDonough <jjmcd at fedoraproject.org>
Date: Mon Nov 9 14:46:40 2009 -0500
sandbox -X (bug #533585)
diff --git a/en-US/Revision_History.xml b/en-US/Revision_History.xml
index 4cc60cc..7f49e2a 100644
--- a/en-US/Revision_History.xml
+++ b/en-US/Revision_History.xml
@@ -21,6 +21,9 @@
<member>
Include pointer to Fedora 12 Talking Points (bug #533574)
</member>
+ <member>
+ Note addition of sandbox -X (bug #533585)
+ </member>
</simplelist>
</para>
</listitem>
diff --git a/en-US/Security.xml b/en-US/Security.xml
index daa0a5a..e914c0a 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -29,6 +29,31 @@
</para>
</section>
+ <section id="sect-Release_Notes-Security-SELinux_Sandbox">
+ <title>SELinux Sandbox</title>
+ <para>
+ The SELinux sandbox allows a command to be run in a highly
+ constrained fashion. Unfortunately, the nature of GUI
+ applications is such that it is very difficult to use this
+ capability on those applications that need it most.
+ </para>
+ <para>
+ A new <command>sandbox -X</command> command allows many
+ GUI applications to be tightly constrained. By applying
+ this within some web applications, a user may specify, for
+ example, that Open Office should run normally when invoked
+ by the user, but should be constrained when invoked from
+ the web.
+ </para>
+ <para>
+ When run from the SELinux sandbox, a GUI application may
+ only access a limited directory structure which is
+ destroyed on exit, is denied access to the network, and
+ runs in an isolated X-server, which prevents it from
+ accessing other X applications.
+ </para>
+ </section>
+
</section>
More information about the Fedora-docs-commits
mailing list