On 7/10/09 5:11 PM, "max bianco" <maximilianbianco@xxxxxxxxx> wrote: > Personally I am glad that this is in the works, I have really been > wanting some more control over what policy is installed, really I'd > rather not install packages without a policy. Nobody wants to leave it > up to the user and I don't blame them but trying to do this without > bugging the user is just begging for trouble. I could see a menu under > Authorizations (on Fedora) like this : > > SELinux Policy Management > > 1. Install only signed policy (by signed I mean it was either > developed by the maintainers of refpolicy or reviewed by someone on > the distributions security team to ensure least privilege) > > 2. Prompt user for action : install signed policy, install policy > included with package, let me install my own policy or just run in the > user context > > 3. Let the app run unconfined or in a permissive domain - good for > tools like kismet that are sometimes a pain the ass to use in > conjunction with SELinux > > 4. Run the app in a generic sandbox > > 5. Install all policy regardless of source (discouraged) > We've actually thought of some of those same features. Our goal right now is to start by getting support for installing policy into RPM, and then move into looking at ways to give the user more control over what policy gets installed. Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
