sandboxing rpms

Benjamin Youngdahl ben.youngdahl at
Thu Dec 8 22:15:54 UTC 2005


My understanding is that RPM packages will be able to install policy modules
in FC5, an improvement over a monolithic policy.  I have a couple of
questions about the implementation:

1.  Is it possible to provide a temporary policy (either external, or with
an RPM) that constains what the specific RPM's installation can do?

The motivation here is that when I install an RPM, it would be nice if I
would be able to get a declarative list of what the RPM wants access to do.
The RPM tool might summarize before installing the package what the package
will be allowed to do, by parsing this "installation sandbox" policy.

2.  Is it possible to limit (or discover easily in advance) what changes to
the system policy are being made by the RPM's policy modules?

The motivation being that I want to be sure that the policy modules
installed by an RPM are well behaved concerning overall system constraints.

Apologies in advance if these questions are way off-base, or belong
somewhere else.

Thanks for your thoughts,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the fedora-selinux-list mailing list