-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2013 10:08 AM, Casey Dahlin wrote: > On Thu, Mar 14, 2013 at 09:08:48AM -0400, Daniel J Walsh wrote: >> Well I believe Ubunto has been using this feature for years and maybe we >> should consider turning it on via systemd or a unit file. The breakage >> of AFD is not a legitimate reason for Fedora to turn it off. > > Why not add an LSM call, security_follow_restricted_link()? Then you could > ship this protection with SELinux policy, and even turn it off per-label if > specific applications need the old behavior. > > --CJD > We already do, but this protection does protect unconfined_t and for those who would dare to disable SELinux. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFCFNQACgkQrlYvE4MpobN0nwCg4ynXq6hXwYzAJu1NUembARUm lCoAn37VntIVg7DUC2tEv9cDozKGC4IE =UC3e -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
