securing directories and binaries
Paul Howarth
paul at city-fan.org
Sat May 27 08:23:32 UTC 2006
On Fri, 2006-05-26 at 14:35 -0700, Florin Andrei wrote:
> On Fri, 2006-05-26 at 15:42 -0500, Arun Binaykia wrote:
>
> > The DAC security model is not good enough. Because the user should be
> > able to run trusted processes (OO) and lowly trusted process
> > (gaim/yahoomessenger)(or a downloaded executable) at the same time.
>
> Sounds like SELinux is what you need. You probably have to build a
> custom policy.
>
> http://fedora.redhat.com/docs/selinux-faq/
>
> http://fedoraproject.org/wiki/SELinux
A fully custom policy might not be needed - the strict policy with a
local module defining the types for the documents and what's allowed to
access it might suffice, or the mls policy could be sufficient "out of
the box". I'd ask about this on fedora-selinux-list. SELinux is
definitely the tool for this job though.
Paul.
More information about the fedora-list
mailing list