Security outside of SElinux?

Thu Jan 29 21:18:09 UTC 2009

On Thu, Jan 29, 2009 at 13:26:24 -0600,
  Jeff Barnes <hybridjeffbarnes at sbcglobal.net> wrote:
> Are there commands with this functionality in Fedora?
> If not what would it take to make them happen in general?
> Reasons would be ease of security application and another reason is
> that Enterprise has restrictions on altering SElinux policies
> which effect warranty. If this functionality were a logic binary AND
> with SELinux then we would not ever need to change default SElinux
> policies.

iptables has an extension that allows you to filter on uids or gids.
For processes or files I think you want to use selinux.

> ________________________________________________________________
> /sbin/PORTS_ALLOW_FOR_USER username list of ports
> /sbin/PORTS_DENY_FOR_USER username  list of ports
> /sbin/LIST_ALLOWED_PORTS_FOR_USER username
> 
> /sbin/PORTS_ALLOW_FOR_FILE filename list of ports
> /sbin/PORTS_DENY_FOR_FILE filename list of ports
> /sbin/LIST_ALLOWED_PORTS_FOR_FILE filename
> 
> /sbin/PORTS_ALLOW_FOR_PROCESS processID list of ports
> /sbin/PORTS_DENY_FOR_PROCESS processID list of ports
> /sbin/LIST_ALLOWED_PORTS_FOR_PROCESS processID
> ___________________________________________________________________________
> /sbin/PRIVILEGES_ALLOW_FOR_USER username list_of_privileges_or_levels
> /sbin/PRIVILEGES_DENY_FOR_USER username list_of_privileges_or_levels
> /sbin/LIST_ALLOWED_PRIVS_FOR_USER username list_of_privileges_or_levels
> 
> /sbin/PRIVILEGES_ALLOW_FOR_FILE filename list_of_privileges
> /sbin/PRIVILEGES_DENY_FOR_FILE filename list_or_privileges
> /sbin/LIST_ALLOWED_PRIVILIGES_FOR_FILE filename
> 
> /sbin/PRIVILEGES_ALLOW_FOR_PROCESS processnameID list_of_privileges
> /sbin/PRIVILEGES_DENY_FOR_PROCESS processnameID list_of_privileges
> /sbin/LIST_ALLOWED_PRIVILEGES_FOR_PROCESS processID
> _____________________________________________________________________________