Confining Applications running as root user
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Fri Aug 21 18:44:23 UTC 2009
Thanks everyone for their responses.
I have another followup question.
Is it mandatory to add all the neverallow rules to assert.te. If so does
that imply that we need to maintain our own version of assert.te with
the modifications.
Thanks
Anamitra & Radha
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com]
Sent: Wednesday, August 12, 2009 1:34 PM
To: Anamitra Dutta Majumdar (anmajumd)
Cc: fedora-selinux-list at redhat.com
Subject: Re: Confining Applications running as root user
On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>
>
> We are trying to migrate our existing security policies to SELinux. We
> are new to SELinux and hence are finding it difficult to map our
> existing policies.
>
> In our existing policy, all applications (including ones running as
> root
> user) with the exception of insmod and modprobe, are denied access to
> /lib directory. How would we go about writing such a policy without
> actually confining every application manually, since that would indeed
> be cumbersome?
>
> Thanks,
> Anamitra & Radha.
>
So you want to control an administrator that is logged in as root from
writing to /lib?
Not very easy to do. If he can disable selinux, load kernel modules,
install rpm ...
He can easily circumvent your protection.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list