Draft Product Description for Fedora Workstation
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 7 13:28:50 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/06/2013 10:12 PM, Kevin Kofler wrote:
> Simo Sorce wrote:
>
>> On Wed, 2013-11-06 at 01:13 +0100, Kevin Kofler wrote:
>>> Simo Sorce wrote:
>>>> * and *ideally* I mean SELinux sanbdboxed with specific APIs that
>>>> must be used to interact with the rest of the system, so that the
>>>> application doesn't have free reign over users files.
>>>
>>> So you want to remove my freedom to disable SELinux? <SARCASM>Way to
>>> go… </SARCASM>
>>
>> If this is all you have to say about what I wrote (strawman on a note and
>> ignore completely the rest) you have nothing valid to say in this
>> discussion.
>
> If the system relies on SELinux to sandbox apps, it means that SELinux
> becomes mandatory to use it, which definitely does remove my freedom to
> disable it. So where's the strawman?
>
> Kevin Kofler
>
There will not be a requirement to run with SELinux. We can also mitigate
some of the risks with using the namespacing, mounting over ~ and /tmp. As
well as user_namespace if it is working well. Of course DAC permissions and
capabilities will still be in place.
Security is about layers. Removing SELiux will make it less secure but not
totally insecure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ7lZIACgkQrlYvE4MpobOyJwCg5lrmiMx7Os8wGWN9PoreJPjE
5cYAnROJXHeqnFYhVL0st2W58I3NLpzi
=+5uZ
-----END PGP SIGNATURE-----
More information about the devel
mailing list