"Workstation" Product defaults to wide-open firewall

Florian Weimer fweimer at redhat.com
Mon Dec 22 10:39:48 UTC 2014


On 12/09/2014 04:32 PM, Bastien Nocera wrote:
>>>> Is it really so awful to ask a user:
>>>> "Do you want to expose Eclipse to the network ?" (of course worded
>>>> in a better way than my poor English skills can do).
>>>
>>> Probably not, but it's not implementable in the current state of
>>> things.
>>
>> Understood.
>> Do we have a way to get there ?
>> (trying to be constructive here)
>
> 1. Land kdbus
> 2. Implement sandboxing support, including a way for system services
>     to securely identify applications talking to them, and/or block
>     particular capabilities (such as network access, filesystem access, etc.)
> 3. Profit!

Alternatively, start confining unconfined_t and use the existing SELinux 
mechanisms.

-- 
Florian Weimer / Red Hat Product Security


More information about the devel mailing list