[OT] Re: Running graphical programs as root
Kevin Chadwick
ma1l1ists at yahoo.co.uk
Mon May 14 13:55:27 CEST 2012
On Sat, 12 May 2012 07:28:18 -0700
Ray Andrews wrote:
> Very interesting! So I'm not the first to wonder about better
> protections. I will look at these things. At the least I'll instruct it
> that VLC is only permitted to play music ;-)
You managed to pull me out of silence yet again. Hopefully before you've
spent any time. I'll say this.
You have to know about what a program needs. RBAC has a
learning mode which builds policies for you but then only allows
complete system enforcement to prevent any false sense of security, so
ANYTHING you haven't done during learning mode, you won't be able to do
once enabled and updates may require a re-learn/maintenance. It's
security is better than selinux that uses LSM but also requires a
grsecurity kernel which almost no distro provides and aren't for your
average user. (sonnet and alpine)
I'm not a fan of Fedora partly due to it's minimum system requirements
but Fedora probably? has the most selinux policies by default. You may
need to put selinux into enforcement mode though, not sure if it's
enabled by default for some programs or not, I haven't really looked at
running selinux since selinux was in beta in Fedora 3 or something. It
also has an selinux sandbox letting you run apps inside that trounces
any windows sandbox.
There's also a lot you can do simply with traditional unix security
tools, like firewalls, chroot, users/groups and permissions. (grossly
underestimated in fact, it's so useful mainly due to the unix philosophy
of everything is a file but this philosophy is unfortunately beginning
to be eroded with recent developments like polkit, greater usage of IPC
like Windows and also amalgamation of configs).
More information about the Xfce
mailing list