Paranoia for helpers - best practices

Federico Mena Quintero federico at novell.com
Thu Mar 25 10:40:16 PDT 2010


On Wed, 2010-03-24 at 21:09 -0400, Matthias Clasen wrote:

> Of course, one answer is to contain your service using selinux policy,
> but thats a rather big hammer, and not everybody is in the position to
> just walk over to Dan Walsh's desk to have that sorted out....

Yeah, selinux is not an option.

In my mind selinux is "I have a really big codebase that I need to
more-or-less sandbox".

PK helpers should be as small as possible, so they are in principle easy
to make secure.

  Federico



More information about the polkit-devel mailing list