Draft Product Description for Fedora Workstation

Daniel J Walsh dwalsh at redhat.com
Thu Nov 7 13:28:50 UTC 2013

Hash: SHA1

On 11/06/2013 10:12 PM, Kevin Kofler wrote:
> Simo Sorce wrote:
>> On Wed, 2013-11-06 at 01:13 +0100, Kevin Kofler wrote:
>>> Simo Sorce wrote:
>>>> * and *ideally* I mean SELinux sanbdboxed with specific APIs that
>>>> must be used to interact with the rest of the system, so that the 
>>>> application doesn't have free reign over users files.
>>> So you want to remove my freedom to disable SELinux? <SARCASM>Way to
>>> go… </SARCASM>
>> If this is all you have to say about what I wrote (strawman on a note and
>> ignore completely the rest) you have nothing valid to say in this 
>> discussion.
> If the system relies on SELinux to sandbox apps, it means that SELinux 
> becomes mandatory to use it, which definitely does remove my freedom to 
> disable it. So where's the strawman?
> Kevin Kofler
There will not be a requirement to run with SELinux.  We can also mitigate
some of the risks with using the namespacing, mounting over ~ and /tmp.  As
well as user_namespace if it is working well.  Of course DAC permissions and
capabilities will still be in place.

Security is about layers.  Removing SELiux will make it less secure but not
totally insecure.
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the devel mailing list