Posted Nov 18, 2004 17:52 UTC (Thu) by iabervon
Parent article: Civilizing SELinux
I think that a good basic principle for a desktop system would be relatively simple: everything the user isn't expected to know about is restricted by the distribution's policies; anything the user installs, unless it's "official", is prohibited from mucking with the root-owned portion of the system, but can do anything the user can do; a "fakeroot-rpm" system would be very helpful (so you could install a random rpm, and it would look to you like it was installed, but not be able to affect the function of the system other than for you).
The thing that I'd like to see out of SELinux is the ability to tightly restrict the abilities of plug-ins. Your mail program, when you click on an attachment, would run a viewer for it, but would prohibit the viewer from doing anything other than reading files without side-effects, displaying content in its window, and accepting input in its window. This could allow the system to support the distinction in the user's mind between "looking at" something and "running" it. Each new user would probably try saving from a program out of their email and be unhappy, but the concept that you need to export any program you intend to "use" and shouldn't export anything you want to "look at" would fit user's naive expectations far better than current systems (the confusion would come from user's experiences that computers generally violate these expectations).
to post comments)