On 10/30/2013 05:07 PM, Dominick Grift wrote:
On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
> Well in this case I would like to potentially run these container/apps with
> Types like firefox_t and ooffice_t, but more generically with app_t where
> app_t is not allowed to touch user_home_t.
> But we are going far a field of this email chain, and we can revisit this when
> we actually have applications containers.
Sure, we will see, and yes i guess containers in Gnome are inevitable
anyways (what about other DE's). I think, but you probably already know
that, that we should not try to prevent access to the generic user home
content type user_home_t, but instead classify everything that is not
And do you think it is really possible?
Anyways the difference is that i have integrity enforcement on the
desktop currently implemented (albeit somewhat limited), and what you
are suggesting is something that might work in a distant future.
selinux mailing list