On Fri, 2011-04-08 at 12:59 -0500, Boriso wrote: > I think that some kind of script or internal Wine command would be > great if it could create new Wine prefix and configure some > restrictions in IPTables and/or AppArmor. > There is no relationship at all between the IPTables firewall and Apparmor/SELinux[1]. The IPTables firewall is only concerned with controlling ICP/IP access to a computer - both TCP/IP sessions and datagrams. It controls incoming connections from external TCP/IP data sources and also controls outgoing connections. Thats all it does. It neither knows not cares what program is trying to make or receive network connections: it is purely a perimeter guard. OTPH Apparmor/SELinux is concerned with extending control over the way a specific program can access resources (files, etc.) provided within a computer. SELinux adds labels to file system resources to implement Access Control Lists (ACLs) that restrict access in ways that the file ownership and associated read/write/execute permissions cannot. It neither knows nor cares about network access apart from the trivial case of specifying which users can connect to a network port. [1] There are two implementations of this security tool, which was originally designed to bring Linux installations in line with DOD requirements. Apparmor is used by some distros and SELinux by others. Martin
