Re: Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2006-03-29 at 17:58 -0500, Matthew Miller wrote:
> On Wed, Mar 29, 2006 at 12:56:46AM -0500, Daniel J Walsh wrote:
> > >>Should also be wrapped in SELinux to make sure some random app does not 
> > >>ask for this.  If I am a user and NetworkManager pops a window saying 
> [...]
> > >What would happen in the absence of SELinux?
> > It will ask the user and the user will say yes. 

Right. Maybe even the user needs to put in his own password or the
superuser password.

> > In the SELinux case it will still ask the user, but only an approved app 
> > will be able to open the whole in the firewall.

It won't have to ask the user and I argue it shouldn't have to.

> 
> Sounds good, although I wonder if it might be nicer to implement this in a
> way similar to that described here: <http://blog.fubar.dk/?p=66>.

Yea, that's what I was rambling about in my other mail. 

> Also, who decides which apps are "random" and which are approved?

The thinking was that g-u-s would provide the system-level component for
punching a hole that the httpd process launched by g-u-s would use. As
such, only g-u-s would be able to use this. Other apps such as Banshee
or Rhythmbox that wants to listen on a port too would provide similar
helpers. This is not optimal but we gotta start somewhere.

Ideally, the Fedora firewall (which is no more than a script plus a
consolehelper powered GUI, ugh) would provide such a service along with
a configuration framework. In fact, ideally there would be a
freedesktop.org framework for punching holes through firewalls so
everything would be solved upstream. One can always dream, yea?

    David



[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux