Re: Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2012 06:49 PM, Gordon Messmer wrote:
> On 12/06/2012 06:05 PM, David McGuffey wrote:
>> Why isn't Firefox and Evolution confined with SELinux policy in a way 
>> that APT can't damage the rest of the system? Why are we not sandboxing 
>> these two apps with SELinux?
> 
> Probably mostly because when you sandbox an X11 application, you can't copy
> and paste in or out of the application.  Most users want to do that. 
> _______________________________________________ CentOS mailing list 
> CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
> 
Yes when you wrap something in sandbox, you loose the ability for these
applications to communicate with the rest of the desktop.  In order to secure
the desktop in any real way you need to break communications, and this
communications break down, hurts usability.  I opt for security, and will just
run evince outside my session, if I really need copy/paste.  Maybe when we get
to Wayland, we can make this better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDGAnoACgkQrlYvE4MpobPYnQCfct1/1mnGEF7JxYd06ba/00hz
qRgAoOQYZjU6ZvoaIk4a2gn9uKjBxsqH
=Z6ei
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux