> It is funny that I read this question when I was going to look at > AppArmor myself. > > I read an article about AppArmor finding that Skype on Linux reads > /etc/passwd and firefox settings today. Did Selinux stop this from > happening as well? > > http://forum.skype.com/index.php?showtopic=95261 > > I like SELINUX and will continue using it. The passwd file isn't considered secret in any way. Its public readable data. The /etc/shadow file holds passwords and is root only. You can certainly set skype up not to be allowed anywhere near your firefox settings (my guess is its looking for an address book to import or plugin data nothing too sinister). The problem with stuff like apparmor is you can say things like "/etc/passwd" is not accessible to program XYZ. But program XYZ can then do things to access it via another path (eg by renaming a copy of itself ".eric" and adding that to your .profile). SELinux puts labels on actual objects, not on paths so renaming itself .eric doesn't help, nor does finding another path to /etc/passwd (eg by running a program to create a link). Alan