> Would it be OK to figure out a certain set of permissions that is OK for > random untrusted software to use. For instance Flash developers get a lot > of milage out of the ability to write fun games that operate entirely > inside the Flash sandbox which is pretty restrictive, it seems like there > should be some level of control we can give programs so that humanities > innate urge to distribute electronic greetings cards can be satisifed > securely :) Mozilla is allowed to execute downloaded content right now... I think for Java it transitions to a special javaplugin domain. I suppose the same thing can be setup for flash, if necessary. > The thing I'm not really sure about is why preventing programs from > accessing downloaded data files is useful. If you know you can overflow a > program with malicious data the only sure protection is to fix the app, > right? It seems a bit different to viruses which are actually programs. Fixing the app is one aspect of security, and probably the most important one. However, it might not always be possible - what about third-party closed software? Besides, maybe you just don't trust the app, and you don't want to allow it to handle potentially hostile content. SELinux is mostly about containment, and allowing the sysadmin to control interactions between various domains and objects. If we can give the sysadmin a say in how potentially hostile content is handled, I think we should. Basically, the content you download from the Internet has to be labeled somehow, and the current labeling scheme is not appropriate IMHO. I want to setup a better labeling scheme. I don't know at this point exactly how it might be taken advantage of, but I'm sure there's all kinds of things that can be done to improve security, with a common hostile content type, as opposed to multiple hostile content types, or worse, no differentiation from ROLE_home_t. ================= By the way, since you're involved with Codeweavers - does all of wine require text relocations? If so, it needs to be marked textrel_shlib_t. I should probably file a policy bug, because it doesn't work at all under SELinux strict - I use wine quite a lot (games on Linux!), and it's annoying that I have to turn SELinux off all the time to make use of it. for FILE in /usr/local/lib/wine/*.so; do if [ ! -z "`readelf -d $FILE| grep TEXTREL`" ]; then echo $FILE; fi; done; (result: everything) wine: failed to initialize: /usr/local/lib/wine/ntdll.dll.so: cannot restore segment prot after reloc: Permission denied -- Ivan Gyurdiev <ivg2@xxxxxxxxxxx> Cornell University -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
