Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))
Bruno Wolff III
bruno at wolff.to
Fri Feb 24 15:20:53 UTC 2006
On Fri, Feb 24, 2006 at 12:45:17 +0100,
Ralf Ertzinger <fedora at camperquake.de> wrote:
> Hi.
>
> On Fri, 24 Feb 2006 06:42:45 -0500, Benjy Grogan wrote:
>
> > That was my understanding of SELinux. You could run a crazy program
> > that has root privileges, is hackable, has no SELinux policy, and all
> > that effort was for nigh.
>
> I think this is a question of policy. The "targeted" policy does
> what you describe, it just confines specific applications. You are
> free to use the reverse approach, though.
And 'targetted' still buys you a lot. Not all programs are used the same way
and some will be a lot more likely to be a way in to your system then
others.
For 'targetted', internet facing daemons have had restrictive policies
written for them. These are one set of high risk programs. Another set,
that I don't believe has gotten much coverage, are end users programs
used to view data that typically comes from outside sources. This should
include such things as web browsers, mail clients, editors, pdf viewers,
and music and/or video players.
More information about the devel
mailing list