Re: More desktop security thoughts (was Re: GNOME privilege library)

[Mike Hearn <mike navi cx>]

On Fri, 14 Jan 2005 13:02:31 -0500, Colin Walters wrote:
> This has come up periodically on the SELinux list, but it is not easy.
> You need to ensure that you're not introducing any new flaws.  
> 
>> Yes, this worries me too. I don't know if SELinux is badly designed or if
>> MAC in general is just a very hard problem, or even if Red Hat are being
>> overly ambitious. I'm not aware of any attempts to do something like this
>> before.
> 
> There has been no previous attempt to integrate fine-grained MAC
> pervasively into a mainstream version of a mainstream operating system.
> That's the goal of SELinux.

Right. So we don't have anything to compare against, so placing the blame
for it being hard at the feet of SELinux specifically doesn't make any
sense ...
 
> Anyways, for the purposes of GNOME, we should not be designing anything
> that requires SELinux, particularly a nonexistent version which can
> override DAC.

Right, but as Sean said you can just make lots of programs suid root then
sandbox them back down using SELinux which achieves the same effect.

The thing that concerns GNOME is what the UI looks like, and I think the
only stuff it has to consider as a project are how to let distributors
choose whether to use this admin-applets-needs-root type UI or using an
adminless type UI. Which might be best served using Seans idea of a new
library/abstraction or by dragging consolehelper upstream or some other
totally different way.

But I think GNOME should keep in mind how to provide the sort of
no-root home user UI.

thanks -mike