From: walid.fakim@cgi.com (Fakim, Walid) Date: Wed, 19 Oct 2016 09:03:44 +0000 Subject: [refpolicy] Confining services without confining users In-Reply-To: <4575498.XAtSL3l79j@russell.coker.com.au> References: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> <4575498.XAtSL3l79j@russell.coker.com.au> Message-ID: <67130EC7AFA3FE4E9290B03665B351F40583AF@SE-EX022.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks both. Makes sense. Thanks. Best Regards, Walid Fakim -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: 19 October 2016 06:41 To: refpolicy at oss.tresys.com; Chris PeBenito Cc: Fakim, Walid Subject: Re: [refpolicy] Confining services without confining users On Monday, 17 October 2016 9:05:25 PM AEDT Chris PeBenito via refpolicy wrote: > If you leave your users unconfined, then you're saying that you > completely trust your users (from the SELinux perspective) and only > want to rely on Linux DAC protections. The problem with this amount > of trust is that many users run web browsers or other network clients > that may not be so trustworthy, which is why web browsers typically > have some confinement and also why tools like sandbox exist. The problem we have is that in typical usage of a desktop computing environment a web browser reads and writes so many files that most sysadmins won't accept a policy that restricts the browser from accessing most files in the user's home directory. When a web browser can write to ~/.bashrc and similar files there are no meaningful restrictions on what it can do to the user's session. It would be good if tools like sandbox were used more. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/