Odd boolean in /etc/selinux/strict/booleans?

Ivan Gyurdiev ivg2 at cornell.edu
Thu Mar 31 17:11:40 UTC 2005

On Thu, 2005-03-31 at 11:09 -0500, Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
> >>Bad name in the installed file.  It used to be disable_games.  We might 
> >>want to add a
> >>boolean back in to prevent users from running games at all.  But we 
> >>would need to remove
> >>exec_type from the attribute.
> >>    
> >>
> >
> >Prevent users from running games? Why do we want to do that?
> >What's wrong with the current approach to doing this...namely..don't
> >install any games, and then the users won't be running them.
> >
> >  
> >
> I am thinking of the situation where you might want to users in a 
> certain role allowed to play games and others not, on a shared
> machine.  A more interesting example would be to disallow sysadm from 
> running games, mozilla ...
> Basically a user accidently runs mozilla or a game while newroled to 
> sysadm.  Might be nice to have that error out.
> Ordinarily a transition happens but still It would be nice to prevent this.

I actually see SElinux as suited for the *opposite* phenomenon.
Particularly, while on a legacy machine running mozilla and company as
root would not be a very bright idea, on a SElinux-constrained machine
it shouldn't be so bad (it's confined, how much damage can it do?).

Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University

More information about the fedora-selinux-list mailing list