Re: SELinux and the Desktop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 12, 2004 at 08:14:16PM -0500, Jerry Haltom wrote:
> The daemon realizes that the action isn't allowed, but that it could be 
> allowed if the user consents to it, so the daemon pops up on the user's 
> desktop a nice dialog  box, "The application Blah has attempted to 
> access the file /tmp/contact-socket (or whatever). Do you want to allow 
> this action?" Most likely t his dialog would ask for the user's 
> password again. Upon receiving a "Yes", SELinux would be instructed to 
> allow the program to access the socket. If the user presses Yes, the 
> process ceases being blocked, and goes on. In the case of No, the 
> process will probably die. ;0
[...]
> What this does is let users do what they will do anyways: run the 
> program. You won't stop them, I won't stop them, and we probably 
> shouldn't. We should make it so they CAN without risk to their systems.

What's to stop a user from always clicking "Yes"?  What makes you
think that those same users who download/open attachments that are
executables without thinking/understanding the consequences will be
any smarter when they are asked whether or not to allow a program to
perform some obscure system internal function that they have even less
of a chance understanding?

I don't think it is advantageous to give the user choices they don't
have any chance of understanding.  The current Fedora strict SELinux
policy already restricts some network-facing desktop applications,
such as Mozilla.


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux