[cap-talk] SELinux (was "ACLs don't" paper rejected from Oakland 09)
Matej Kosik
kosik at fiit.stuba.sk
Sat Feb 7 10:48:22 EST 2009
Hi James,
James Morris wrote:
>
> This work is not complete (e.g. protection needs to be extended throughout
> the X framework, which is ongoing; and these ideas could be generalized to
> cover all content parsing & processing), although it does seem workable as
> a useful security enhancement in the case of retrofitting an existing OS.
Do you also plan to confine/sandbox ordinary applications such as
`gedit' (simple text editor like Notepad on MS Windows) ?
What kind of policy is, according to you, appropriate ?
Can it be enforced via SELinux ?
Did someone already write it ?
PS: Let us suppose that gedit is an example of untrusted piece of
software (which indeed is) and we want to follow POLA while using it. It
consists of 70980 lines of C code which we are not willing to read.
More information about the cap-talk
mailing list