Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)
David Zeuthen
davidz at redhat.com
Thu Mar 30 01:10:40 UTC 2006
On Wed, 2006-03-29 at 17:58 -0500, Matthew Miller wrote:
> On Wed, Mar 29, 2006 at 12:56:46AM -0500, Daniel J Walsh wrote:
> > >>Should also be wrapped in SELinux to make sure some random app does not
> > >>ask for this. If I am a user and NetworkManager pops a window saying
> [...]
> > >What would happen in the absence of SELinux?
> > It will ask the user and the user will say yes.
Right. Maybe even the user needs to put in his own password or the
superuser password.
> > In the SELinux case it will still ask the user, but only an approved app
> > will be able to open the whole in the firewall.
It won't have to ask the user and I argue it shouldn't have to.
>
> Sounds good, although I wonder if it might be nicer to implement this in a
> way similar to that described here: <http://blog.fubar.dk/?p=66>.
Yea, that's what I was rambling about in my other mail.
> Also, who decides which apps are "random" and which are approved?
The thinking was that g-u-s would provide the system-level component for
punching a hole that the httpd process launched by g-u-s would use. As
such, only g-u-s would be able to use this. Other apps such as Banshee
or Rhythmbox that wants to listen on a port too would provide similar
helpers. This is not optimal but we gotta start somewhere.
Ideally, the Fedora firewall (which is no more than a script plus a
consolehelper powered GUI, ugh) would provide such a service along with
a configuration framework. In fact, ideally there would be a
freedesktop.org framework for punching holes through firewalls so
everything would be solved upstream. One can always dream, yea?
David
More information about the Fedora-maintainers
mailing list