-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/06/2013 10:12 PM, Kevin Kofler wrote: > Simo Sorce wrote: > >> On Wed, 2013-11-06 at 01:13 +0100, Kevin Kofler wrote: >>> Simo Sorce wrote: >>>> * and *ideally* I mean SELinux sanbdboxed with specific APIs that >>>> must be used to interact with the rest of the system, so that the >>>> application doesn't have free reign over users files. >>> >>> So you want to remove my freedom to disable SELinux? <SARCASM>Way to >>> go… </SARCASM> >> >> If this is all you have to say about what I wrote (strawman on a note and >> ignore completely the rest) you have nothing valid to say in this >> discussion. > > If the system relies on SELinux to sandbox apps, it means that SELinux > becomes mandatory to use it, which definitely does remove my freedom to > disable it. So where's the strawman? > > Kevin Kofler > There will not be a requirement to run with SELinux. We can also mitigate some of the risks with using the namespacing, mounting over ~ and /tmp. As well as user_namespace if it is working well. Of course DAC permissions and capabilities will still be in place. Security is about layers. Removing SELiux will make it less secure but not totally insecure. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ7lZIACgkQrlYvE4MpobOyJwCg5lrmiMx7Os8wGWN9PoreJPjE 5cYAnROJXHeqnFYhVL0st2W58I3NLpzi =+5uZ -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
