From: dac.override@gmail.com (Dominick Grift) Date: Sun, 28 Aug 2016 21:12:31 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> <1472075733.19800.4.camel@trentalancia.net> <1472317696.28955.1.camel@trentalancia.net> <1472318213.31962.2.camel@trentalancia.net> <1472330498.25935.7.camel@trentalancia.net> <1472334513.25935.16.camel@trentalancia.net> <6b1697f1-2aaf-3727-5b69-8794a0f85530@gmail.com> <7EAFAD82-CDDA-47E3-950E-4D5610686C6C@trentalancia.net> Message-ID: <2fdc38c8-f5af-b255-078e-fc06fb67b702@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/28/2016 08:40 PM, Chris PeBenito wrote: > On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >> Things are very far from working naturally as they are. >> >> On the other hand, the patches are surely far from being complete or >> stable yet, but at least every version allows to start the Gnome desktop. >> >> Now I met this major problem, it looks by all means a limitation of >> the existing framework, but I am sure that it will be sorted out... >> >> I am also waiting to hear from Christopher about this. > > The way I see it is that general purpose desktops are incredibly > complicated and are not designed with security in mind. I wonder if the > policy complexity needed to confine it all actually buys a proportional > amount of security gains. I'm not saying it shouldn't be done, but I am > skeptical that it is worth it. > It is expensive. I agree, but i would not go so far as to say that confining the desktop does not buy a proportional amount of security gains. It is telling though that you're not the only authority saying that using selinux to confine the desktop is not practical (Walsh shares your opinion). Anyhow DSSP fills a gap here. So if you value integrity on the desktop DSSP is be happy to take contributions :) -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/376db0aa/attachment.bin