On Mon, Nov 13, 2023 at 10:35 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > All that said, I am not entirely sure how useful the current fd use > permission is, nor how useful these finer-grained checks will be. > Fedora policy by default allows every domain to use every other > domain's fds (controllable via domain_fd_use boolean, default is > true). Android I think is more selective. I think we want to be careful about judging the merits of an idea based on how a small handful of publicly available SELinux policies are structured. I think as long as we can reasonably argue that a policy could be created that would be able to make use of such an idea, then I believe the idea is worth considering. -- paul-moore.com
