There's an effort to limit bonobo connections from firefox to
restricted domains only (no user_t/unconfined_t connections).... also
challenging, because there's so many things firefox talks to, and one
of them is sufficient to necessitate allowing communications channel
to user_t/unconfined_t.
Isn't bonobo capable of doing exactly what we need anyway - launching
applications based on required characteristics sent over a socket to its
server? Maybe I'm ignorant of how those things work, but having a
centralized way to launch other apps (from a different process than our
own) would be very helpful to selinux.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
