On Tue, Feb 24, 2009 at 06:05:51PM -0500, Benjamin M. Schwartz wrote: > Sugar/OLPC simply never had SELinux experts
I'm pretty sure this is false. For instance, I know that ancient OLPC+RH kernels has SELinux enabled and I know that the SELinux folks at RH have always been excited to help me to understand their work whenever I took the time to ask them questions every few months. >It's hard to write a sandboxer like Rainbow, since it must not only appear >to work, but be verified "secure" to a high degree of confidence. That's >harder still if one is writing in a system in which one is a novice, so >the developers (principally Michael) have instead stuck to technologies >with which they are already expert. This is actually not such a big deal, in my opinion. The killer problem, as I learned from the vserver experience, is that novice activity authors /must/ be able to debug their work in any system which we might hope to ship. I don't think that I have very good ideas on how to make this part workable with technologies that are more complicated or more obscure than Unix DAC. Michael _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
