A Modest Suggestion to make SElinux usable.
Kevin Kofler
kevin.kofler at chello.at
Mon Jun 1 14:25:46 UTC 2009
max wrote:
> SELinux needs a lot of things but an allow button is not one of them. A
> better idea would be to use the recently created sandbox feature instead,
> offering to run the application in a generic sandbox, this way it may run
> without incident but you can be reasonably sure it isn't grossly violating
> policy.
>
> Of course the sandbox doesn't support X apps yet so it may or may not work
> but its better than just allowing according to setroubleshoot. Really RPM
> (package kit or whatever) should sandbox all applications upon
> installation that do not have policy in place or at least offer the option
> but undoubtedly people would complain about that feature.
SELinux is already too restrictive, making it even more restrictive isn't
going to fix that problem.
That said, I don't see the usefulness of a framework exclusively designed to
forbid things at all. It's always going to be in your way and it's never
going to add an actual feature to your system.
Kevin Kofler
More information about the fedora-test-list
mailing list