• 1

Another idea would be to allow you to specify a list of files or directories that were copied into the sandbox filesystem after it was created. And maybe a list of file descriptors you wanted set to particular sockets.

And, of course, ideally you would like to just be able to vet every single access a program tried to make. But that's beyond the scope of what SELinux can do.


  • 1
?

Log in