using selinux to control user access to files
Daniel J Walsh
dwalsh at redhat.com
Mon May 9 15:37:33 UTC 2005
Hein Coulier wrote:
>>Yes, if you want to have user roles and domains, you need strict policy.
>>targeted policy lacks the infrastructure for user roles and domains; it
>>only knows about daemons.
>>Ah, unfortunately RHEL4 didn't ship with a strict policy included.
>>You can take it up with your Red Hat support person, or grab the
>>selinux-policy-strict* packages from Fedora Core (in the latter case,
>>you will likely want to also upgrade your other SELinux-related
>>packages, e.g. libsepol, libsepol-devel, libselinux, libselinux-devel,
>>checkpolicy, policycoreutils, setools, setools-gui).
>That is a bummer ! I read that redhat (even in rhel5) is not supporting the
>strict policy. Since we're running a lot of 3rd party products (oracle,
>websphere, openview, controlm, ...) , i doubt that managment will be willing
>to take the risk of running unsupported.
>I'll have to address my supperiors, but i fear it might be over-and-out for
>Neverrtheless, thanks for the support and your time !
We are moving targeted policy to cover all non-userspace processes in
the future, (RHEL5). I am not
sure what you mean unsported. If you have layered products providing
their own policy, that will be
supported. The thing that is not supported, except through
Professional Services, and picking an choosing
which policy you will be running and modifying the existing targeted
policy. If you modify existing policy so
that it breaks the machine, Red Hat Support is going to have a difficult
time diagnosing the problem. We
just want to avoid that.
More information about the fedora-selinux-list