Cool things with SELinux... Introducing sandbox -X
Sep 17, 2009, 19:32 (0 Talkback[s])
(Other stories by Dan Walsh)
"SELinux is all about defining security goals.
"For example I might have a security goal that firefox
application will not send email. So I can check if my policy
prevents firefox from sending email. But my security goal can
change depending on the content that I want to look at. For
whatever reason, I might want to allow OpenOffice to have full
access to everything in my homedir when I launch it from the start
menu, but when it is launched from firefox on untrusted content, I
only want OpenOffice to be able to display, print, or email that
content, not my credit card data....
"I introduced xguest a year or so ago, and I've thought about
why people liked the concept and the ways people were telling me
they were using it. (Xguest is the least privileged user, his
homedir is cleared on exit, and he is only able to connect to http
ports). I have been told that some people use xguest to go to
untrusted sites where they do not want to have bad data left
behind. Others have told me they use xguest to run games, to make
sure the downloaded games aren't allowed to do evil things."