-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> On 20/05/16 09:55, Elmar Stellnberger wrote: Well, in order to >> block network access for individual apps you would need something >> like SELinux. However I do not know abouot the availability of >> security profiles for all such apps, neither do I know about a >> convenient tool to browse such profiles f.i. in order to see >> whehther a given app is allowed to access the network. >> On 20/05/16 11:26, ale wrote: > I think you could also use AppArmor profiles to filter network > access per application in the way you describe. >
The problem with AppArmor (I am not sure with SeLinux) is that all the information about what packages/programs are allowed to use Internet will be distributed on different AppArmor profiles which are pretty difficult to maintain and manage. The ideal scenario should be some file on /etc/ with a list of all packages with access granted, so an user could easily add or remove permissions. A package which network access by default will be added automatically on install. Some packages could be optional (like gnome-calculator), on install (or on first run) the user will be asked if they want to grant access to it. I do not know any distribution doing something like this, so probably it has some problems or backwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXPt27AAoJEBQTENjj7QilPgIQAJ/FQKZrkI3FhvKgEr1GcX2B 1igMBMfdcHLZvZZb5vG3P018mrA1XbPFOuhCfiCMCKilmzTiyMk9KJCSGPbdRgKs iEXvavK4AVXGHTu2b0q4PxEtM507Eg+sAdcrJZUIQZ4p+kwflqZ/yCPGVcbHL/Go g6cNiioG1DCTxI7zuuLpkOZFk/ykkdEfAwCFeiWkGyNSLWRfdVBKLbJ+rkMG/JQd 4xTauFJ8Eo8LY2GT1TOlJ4yP4e0Lj/bJYxO4n5zg5k5yAwss4YyFhmsCNLoemn/s a0gI1GZl1uxs80X9Ll4Tma+mvZvX7v/L/tTF+KG72qS8AeDqJe8gZ4PJbKrTbbzw Uy0zgmh+lstTqfpj0SXyIP4nUKpue9gAoPHEfp4Tt0TmhzBGsPzeNHDk24isy7QR gp+l0TpEfc58ONHeBZAdVwdiJTmW0fRDaA5Lfj26773S3jYzxND8Igpsigqn8kuB ahnn+/yY4ucI/YWu9n7ntaA2R9vHjaOP7Cj+FqlZs8qvTbUnM8X7naEuSpqI8PoS DuefP9XgeIxLuumNtRkzZRt4DbqsHkPu6qe9Lt2CNl6FZCkhVPCzA8qUFO9E0A5G zLoZZM6ENkBQP2qrEb3Yhgq9+9PSyfD6uqF38OplxTdkyx4NgVFAgqnVukplken+ q5440aqvJHK09tevWSjC =vzxJ -----END PGP SIGNATURE-----
