sandboxing rpms
Benjamin Youngdahl
ben.youngdahl at gmail.com
Thu Dec 8 22:15:54 UTC 2005
Greetings.
My understanding is that RPM packages will be able to install policy modules
in FC5, an improvement over a monolithic policy. I have a couple of
questions about the implementation:
1. Is it possible to provide a temporary policy (either external, or with
an RPM) that constains what the specific RPM's installation can do?
The motivation here is that when I install an RPM, it would be nice if I
would be able to get a declarative list of what the RPM wants access to do.
The RPM tool might summarize before installing the package what the package
will be allowed to do, by parsing this "installation sandbox" policy.
2. Is it possible to limit (or discover easily in advance) what changes to
the system policy are being made by the RPM's policy modules?
The motivation being that I want to be sure that the policy modules
installed by an RPM are well behaved concerning overall system constraints.
Apologies in advance if these questions are way off-base, or belong
somewhere else.
Thanks for your thoughts,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20051208/6a7bba4f/attachment.html
More information about the selinux
mailing list