From: russell@coker.com.au (Russell Coker) Date: Wed, 19 Oct 2016 16:40:59 +1100 Subject: [refpolicy] Confining services without confining users In-Reply-To: References: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> Message-ID: <4575498.XAtSL3l79j@russell.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Monday, 17 October 2016 9:05:25 PM AEDT Chris PeBenito via refpolicy wrote: > If you leave your users unconfined, then you're saying that you > completely trust your users (from the SELinux perspective) and only want > to rely on Linux DAC protections. The problem with this amount of trust > is that many users run web browsers or other network clients that may > not be so trustworthy, which is why web browsers typically have some > confinement and also why tools like sandbox exist. The problem we have is that in typical usage of a desktop computing environment a web browser reads and writes so many files that most sysadmins won't accept a policy that restricts the browser from accessing most files in the user's home directory. When a web browser can write to ~/.bashrc and similar files there are no meaningful restrictions on what it can do to the user's session. It would be good if tools like sandbox were used more. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/