SElinux

Bruno Wolff III bruno at wolff.to
Sat Apr 8 17:25:23 UTC 2006


On Sat, Apr 08, 2006 at 11:46:17 -0500,
  Les Mikesell <lesmikesell at gmail.com> wrote:
> On Sat, 2006-04-08 at 01:27, Bruno Wolff III wrote:
> > SELinux has value on Desktops, at least to some people. I would really like to
> > be able to run programs that don't have the same access to resources (in
> > particular network connections) that I do. I know longer trust software
> > venders not to bad stuff in their software, at least for things targetted
> > at consumers. Things are likely to get worse in this regard in the near
> > future.
> 
> That seems to be a missing feature in normal Linux access control.
> The SysV versions I used prior to Linux had device entries in the
> filesystem for the network devices just like everything else, and
> access to them was controlled by the user/group/other permissions
> like everything else.  You could limit the ability to open a
> network connection to a members of a specific group if you
> wanted.  The Linux network devices seem to be something magic
> instead of following the normal access control model.

Linux controls suck for this. Currently what I do for Neverwinter Nights is
run it under a separate user and use firewall rules not to let it send
traffic over the external interface.
My preference would be to run it as myself, but limit its network and file
access.
I also have a couple of games I don't play too often that use wine and I
haven't put effort into locking them down yet. I don't know enough about
the wine environment to know how easy this is to do.




More information about the fedora-list mailing list