max wrote:
> SELinux needs a lot of things but an allow button is not one of them. A
> better idea would be to use the recently created sandbox feature instead,
> offering to run the application in a generic sandbox, this way it may run
> without incident but you can be reasonably sure it isn't grossly violating
> policy.
>
> Of course the sandbox doesn't support X apps yet so it may or may not work
> but its better than just allowing according to setroubleshoot. Really RPM
> (package kit or whatever) should sandbox all applications upon
> installation that do not have policy in place or at least offer the option
> but undoubtedly people would complain about that feature.
SELinux is already too restrictive, making it even more restrictive isn't
going to fix that problem.
That said, I don't see the usefulness of a framework exclusively designed to
forbid things at all. It's always going to be in your way and it's never
going to add an actual feature to your system.
Kevin Kofler
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
