From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 28 Aug 2016 21:12:31 +0200
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
 contexts
In-Reply-To: <fc5ee4b5-fc19-a753-5b95-0f8a3d83d122@ieee.org>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
	<1472317696.28955.1.camel@trentalancia.net>
	<c49f1270-caa7-7e41-60dc-66ce0fe44e3c@gmail.com>
	<1472318213.31962.2.camel@trentalancia.net>
	<d5ad4d2b-f29f-1e45-84a1-a69dedd428f4@gmail.com>
	<1472330498.25935.7.camel@trentalancia.net>
	<fd0e9bd4-f385-081b-36b5-ccf0c55cfa5c@gmail.com>
	<1472334513.25935.16.camel@trentalancia.net>
	<6b1697f1-2aaf-3727-5b69-8794a0f85530@gmail.com>
	<aef29033-a90d-f964-c23e-bb71bbae9154@gmail.com>
	<7EAFAD82-CDDA-47E3-950E-4D5610686C6C@trentalancia.net>
	<fc5ee4b5-fc19-a753-5b95-0f8a3d83d122@ieee.org>
Message-ID: <2fdc38c8-f5af-b255-078e-fc06fb67b702@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/28/2016 08:40 PM, Chris PeBenito wrote:
> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>> Things are very far from working naturally as they are.
>>
>> On the other hand, the patches are surely far from being complete or
>> stable yet, but at least every version allows to start the Gnome desktop.
>>
>> Now I met this major problem, it looks by all means a limitation of
>> the existing framework, but I am sure that it will be sorted out...
>>
>> I am also waiting to hear from Christopher about this.
> 
> The way I see it is that general purpose desktops are incredibly
> complicated and are not designed with security in mind.  I wonder if the
> policy complexity needed to confine it all actually buys a proportional
> amount of security gains.  I'm not saying it shouldn't be done, but I am
> skeptical that it is worth it.
> 

It is expensive. I agree, but i would not go so far as to say that
confining the desktop does not buy a proportional amount of security gains.

It is telling though that you're not the only authority saying that
using selinux to confine the desktop is not practical (Walsh shares your
opinion).

Anyhow DSSP fills a gap here. So if you value integrity on the desktop
DSSP is be happy to take contributions :)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/376db0aa/attachment.bin