shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

261
active users

#selinux

1 post1 participant0 posts today

'"[…] #SELinux stops all access unless allowed by policy. […] Before the SELinux 3.6 userspace version, it was not possible to drop any access already allowed in the base SELinux policy or in a module. […] The changes in the latest SELinux userspace release 3.6 introduced support for deny rules. They are documented in Access Vector Rules: "Remove the access rights defined from any matching allow rules.""'

developers.redhat.com/articles

Red Hat Developer · How SELinux deny rules improve system security | Red Hat DeveloperLearn how you can now use deny rules to remove SELinux permissions from the base SELinux policy or a module with the new SELinux userspace release 3.6
Replied in thread

@kde@floss.social @kde@lemmy.kde.social

Thx for the info, then it is like that.

Here is the goal proposal

phabricator.kde.org/T17370

Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.

As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.

phabricator.kde.org⚓ T17370 Sandbox all the things!
Replied in thread

@kde@floss.social @kde@lemmy.kde.social

Can you tell us what happens on the "sandbox all the things" goal?

I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.

(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)