On Sat, Oct 24, 2009 at 10:47 PM, Nicholas LaRoche nlaroche@vt.edu wrote:
A few months ago there was a topic in wine-devel on the same subject. A toggle switch for portions of the wine API (i.e. networking), WINEPREFIX, and SELinux seems to make this a non-issue.
The default wine SELinux configuration for Fedora 11 denies quite a bit of behavior. (Try compiling and using HEAD without setting the security context or entering permissive mode and you'll see what I mean).
Does this even need to be handled at the wine level to prevent system-wide corruption? It seems like other security technologies already provide this protection.
We may want to lend a hand. For instance, I could imagine the system needing some help to figure out how to allow certain windows apps access to the network, and deny it to others. And I think sandboxing a la chromium might end up being a useful technique that would require some work on wine's part to work well. - Dan