SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Desktop apps interoperability This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Ivan Gyurdiev <ivg2_at_cornell.edu> Date: Wed, 30 Mar 2005 11:13:24 -0500 On Wed, 2005-03-30 at 07:52 -0800, Casey Schaufler wrote: > --- Ivan Gyurdiev <ivg2@cornell.edu> wrote: > > On Wed, 2005-03-30 at 07:05 -0800, Casey Schaufler > > wrote: > > ... > > > > Desktop apps will be restricted to only access > > the > > > > appropriate one. > > > > "Downloading" apps will be restricted to > > download to > > > > untrusted_content_t. > > > > > > Am I the only one wary of a slippery slope here? > > > > What's the problem? > > Unless I read your intent incorrectly (which > is possible) you're talking about requiring > the rearchitecting of the data storage schemes > for every user application on the planet to > accomodate the presence of DTE. And you're > talking about it as if it might actually happen. Do you have a better proposal for restricting desktop applications to minimum privilege? Nothing needs to be rearchitectured. The user just needs to be made aware that this is where the documents belong, and the app can't write all over the place like it would in a non-selinux environment. Apps that still run in user_t would be unaffected until their policy is changed. Of course, I'm thinking in the future such folders would be prominently displayed in Gnome with their own little icons, and their windows-style names like "My Media" or whatever (which should not be the same as the actual dir. name), and those would go in the Places menu or something, and sound juicer for example would know to write there by default as opposed to somewhere else. I guess this discussion now becomes more GNOME-oriented, now that I think about it. Maybe I should go bother the GNOME people to see what they think about adding content-specific folders to /home that we can label with different contexts.. ... or am I missing something fundamental here? -- Ivan Gyurdiev <ivg2@cornell.edu> Cornell University -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 30 Mar 2005 - 11:08:39 EST This message: [ Message body ] Next message: Thomas Bleher: "patch: change var_lib_DOMAIN_t to DOMAIN_var_lib_t" Previous message: Thomas Bleher: "patch: Cleanup policy for /var/lock" In reply to: Casey Schaufler: "Re: Desktop apps interoperability" Next in thread: Tom: "Re: Desktop apps interoperability" Reply: Tom: "Re: Desktop apps interoperability" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom