Walsh: Cool things with SELinux... Introducing sandbox -X

If you step back and think about it, most distributions sandbox servers quite a bit already by giving them their own users, and sometimes by putting them in chroots (and by using various other security mechanisms). Any bridging that needs to be done between server applications that was not anticipated by distributions (and there always is some) can be done because the person managing the servers typically has root privileges. This same ability needs to be extended to desktop users (on a multi-human user system).

But, distributions typically stop at sandboxing servers, why? Because to manage sandboxing you need root priviliges! Distributions do not typically sandbox human-user apps (desktop apps) because most human users do not have the privileges on a machine to create the necessary bridges between their apps if they were sandboxed. Human users really need "root level" control of their own domain to ever make sandboxing of applications manageable; no distribution can anticipate all the bridges between user applications that might need to be created. Thus, the need for a separate container for each human user, to give human users "root" privileges without compromising the host or other human users.