On Thu, 2005-03-31 at 11:09 -0500, Daniel J Walsh wrote: > Ivan Gyurdiev wrote: > > >>Bad name in the installed file. It used to be disable_games. We might > >>want to add a > >>boolean back in to prevent users from running games at all. But we > >>would need to remove > >>exec_type from the attribute. > >> > >> > > > >Prevent users from running games? Why do we want to do that? > >What's wrong with the current approach to doing this...namely..don't > >install any games, and then the users won't be running them. > > > > > > > I am thinking of the situation where you might want to users in a > certain role allowed to play games and others not, on a shared > machine. A more interesting example would be to disallow sysadm from > running games, mozilla ... > > Basically a user accidently runs mozilla or a game while newroled to > sysadm. Might be nice to have that error out. > Ordinarily a transition happens but still It would be nice to prevent this. I actually see SElinux as suited for the *opposite* phenomenon. Particularly, while on a legacy machine running mozilla and company as root would not be a very bright idea, on a SElinux-constrained machine it shouldn't be so bad (it's confined, how much damage can it do?). -- Ivan Gyurdiev <ivg2@xxxxxxxxxxx> Cornell University
