On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote: > Well in this case I would like to potentially run these container/apps with > Types like firefox_t and ooffice_t, but more generically with app_t where > app_t is not allowed to touch user_home_t. > > But we are going far a field of this email chain, and we can revisit this when > we actually have applications containers. > > Sure, we will see, and yes i guess containers in Gnome are inevitable anyways (what about other DE's). I think, but you probably already know that, that we should not try to prevent access to the generic user home content type user_home_t, but instead classify everything that is not generic. Anyways the difference is that i have integrity enforcement on the desktop currently implemented (albeit somewhat limited), and what you are suggesting is something that might work in a distant future. </thread> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
