Very cool new feature. Thanks for keeping us up to date on the latest in the SELinux / Fedora world

Two, We plan on keeping it up to date with every new amaroK release, so it will stay current and I guess could be called a distribution unto itself.

What about local network access for lan games?

How hard would it be to make a variant where properly tagged network packets could be sent. The use case would be a game that needed access to the local network to play with other players, but which should not have access to the internet at large.
DNS might be a bit sticky, since information could be leaked through that, so probably even local DNS would be blocked.

How about PDF files downloaded from net? Any other file format supported by separate application like OO?

Yes you can look at documents from the Web via Open Office or evince for example, but these tools will be running under the xguest_firefox_t domain. So they will follow the same rules. Now the user could save the document to /tmp or ~/.mozilla or ~/Download directory, and then run open office or evince to look at the files separately.

I did not mention that there are two booleans to control the use of firefox also.

browser_confine_xguest --> on
browser_write_xguest_data --> off

The first one allows the xguest domain to transition to xguest_firefox_t, If you turn this off the transition will not happen and firefox would be in local only mode. IE Only able to read what the user can read off the local system. The second boolean would allow firefox to write to the users home dir. If you want to see something cool about this policy. Execute

links www.redhat.com

Will give you a failure to connect.

firefox www.redhat.com

will succeed.

Yes you could setup something like this, but this is a fairly advanced setup. I will blog on customizing userspace domains next week.

