On Tue, 2004-10-12 at 20:14 -0500, Jerry Haltom wrote: > So here's where SELinux comes in. SELinux allows the system to place > restrictions on executable programs beyond that offered by the user > identity itself. It allows you to audit, and deny syscall execution, Not precisely. System calls aren't directly restricted; there are simply hooks placed at security-relevant code paths in the kernel. Not all system calls are restricted, and not all permissions are obviously mappable to one particular system call. Also, you can have userspace policy enforcers like D-BUS that aren't mappable to kernel syscalls at all. > So why can't one program place SELinux policy's on other software? SELinux provides mandatory access control, so the policy is generally controlled centrally by a security administrator. However, it is possible right now for the administrator to allow some discretionary user control over labeling. That's what the Apache policy does. > Why > can't a desktop interface listen for faults in SELinux, change those > policy's based on the user's actions or requests, and let the program > continue, at runtime? The problem with this that I see is that it's very difficult to present this to the user in a meaningful way. Most users will simply have no idea what's going on: > 1) don't allow the program to do anything except read/write to /tmp > 2) do allow the program to open outgoing ports after notifying the user A lot of end users aren't going to know what /tmp, ports, or evolution- data-server are. Or even if they do, it's difficult to say whether the program is actually doing something bad or not. One major problem is that right now, without Security-Enhanced X, as soon as you grant an untrusted application access to your X connection you are screwed. So it's basically impossible to usefully define a "user_untrusted_t" domain that downloaded programs could run in; they wouldn't be able to do anything besides use CPU. I guess you could pop them up in a terminal with a suitable program doing filtering with a pty, but I don't see many people emailing exciting tty-based applications to each other...