I'm running Spotify (a streaming music service, http://www.spotify.com/). They don't have a native Linux client, but they recommend Linux users to use the Windows client under wine. And it does indeed work fine. But I'm not completely comfortable with running this application unconfined. After all, it is a binary blob I download that does a lot of network traffic. Who knows what bugs it may contain? So I was considering if it would be able to write an SELinux policy module for it, to confine it. As it is a wine application, the binary that runs is wine. For obvious reasons, I do not want all wine applications to be confined by this policy. Is there some good way to do this? One possible way, I guess, would be to write a small wrapper binary that starts wine with Spotify, and make sure that program transitions into some spotify_t domain. This domain would not be allowed to transition further into wine_t. I could then implement the spotify module as a stripped down version of the wine module. I assume it would work, wouldn't it? It would be slightly fragile, in that I need to remember to not start spotify "directly", but always use the wrapper. Is there a better way to do this? Has anybody else made some efforts in confining specific wine applications? Thoughts and ideas are welcome! -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
