On Fri, 2013-11-01 at 10:41 +0100, Miroslav Grepl wrote:
On 10/30/2013 05:07 PM, Dominick Grift wrote:
> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>> Well in this case I would like to potentially run these container/apps with
>> Types like firefox_t and ooffice_t, but more generically with app_t where
>> app_t is not allowed to touch user_home_t.
>> But we are going far a field of this email chain, and we can revisit this when
>> we actually have applications containers.
> Sure, we will see, and yes i guess containers in Gnome are inevitable
> anyways (what about other DE's). I think, but you probably already know
> that, that we should not try to prevent access to the generic user home
> content type user_home_t, but instead classify everything that is not
And do you think it is really possible?
"I have proof that it is possible, if one sets clear goals, boundaries,
and realistic expectations."
Confining the user space not that different from confining the system
space. Its just a lot more work to maintain and more error prone,
because there is more interactivity, and things change more frequently
in the the user space
But if you set clear goals, and clear boundaries (as to what you support
and what not), then yes, i know its possible because i implemented it
The same goes for the system space, we also set boundaries there. "This
we can, and will support, and anything else not"