On Mon, Dec 10, 2012 at 9:40 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/07/2012 06:49 PM, Gordon Messmer wrote:
On 12/06/2012 06:05 PM, David McGuffey wrote:
Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux?
Probably mostly because when you sandbox an X11 application, you can't copy and paste in or out of the application. Most users want to do that. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Yes when you wrap something in sandbox, you loose the ability for these applications to communicate with the rest of the desktop. In order to secure the desktop in any real way you need to break communications, and this communications break down, hurts usability. I opt for security, and will just run evince outside my session, if I really need copy/paste. Maybe when we get to Wayland, we can make this better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDGAnoACgkQrlYvE4MpobPYnQCfct1/1mnGEF7JxYd06ba/00hz qRgAoOQYZjU6ZvoaIk4a2gn9uKjBxsqH =Z6ei -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
When i tried sandboxing firefox on CentOS 6.4, it says i need seunshare, but yum search all seunshare results in nothing.
"/usr/sbin/seunshare is required for the action you want to perform."
Widening the search to selinux and installing a bunch of packages, and then running: $ rpm -qf /usr/sbin/seunshare policycoreutils-sandbox-2.0.83-19.30.el6.x86_64