On Mon, Jun 1, 2009 at 4:25 PM, Kevin Kofler kevin.kofler@chello.at wrote:
max wrote:
SELinux needs a lot of things but an allow button is not one of them. A better idea would be to use the recently created sandbox feature instead, offering to run the application in a generic sandbox, this way it may run without incident but you can be reasonably sure it isn't grossly violating policy.
Of course the sandbox doesn't support X apps yet so it may or may not work but its better than just allowing according to setroubleshoot. Really RPM (package kit or whatever) should sandbox all applications upon installation that do not have policy in place or at least offer the option but undoubtedly people would complain about that feature.
SELinux is already too restrictive
No, its not ... it does not get in my way even thought I have stuff like confined nsplugin enabled (which are off by default).
You have to provide specific cases so that they can be fixed.