Arjan van de Ven wrote: > right now I fear the only sane answer is "set all to permissive > behavior"; the minimum for fc5 would be everything that can do plugins > of any kind, or uses libraries that tend to get replaced (3D ones ;). > But that ends up being a whole whopping lot... I'm not so sure. The most crappy software are all those mozilla/firefox/thunderbird plugins. So, yes, we might need more time for that although I'd rather prefer to have a separate domain for those programs. The NVidia driver also needs an executable stack but nothing else. What I have not seen are programs which have their own domain and still need any of the booleans set. Somebody should show real evidence that any of those domains need the permission checks disable. If we cannot move the moz/ffox/tbird into their own domain then, yes, disable the checks for unconfined processes. But we should keep the tests for all programs which have their own domain. -- ➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
