using selinux to control user access to files

alex at alex at
Tue May 10 14:55:32 UTC 2005

Quoting Hein Coulier <hein.coulier at>:

> Don't get me wrong : i understand why redhat shouldn't be eager to support
> strict policies.  I also don't expect the problems to be generated by
> redhat, but by my 3rd party products : what if websphere (and our internet
> shop) stops running, or all our oracle databases in our 250 retail shops ?
> Even with support, damage in $ would be to big.
> I hope that in a few years, linux will become  like a mainframe with default
> security, and that it will be an evidence for all vendors that it's their
> duty to provide the neccessary rules to protect and keep their systems and
> data available.

I'm looking at this from a bit different angle.  User can do lots of 
damage even
if only "standard" Unix access controls are used (file permissions and
ownerships).  SELinux only brings this at more complex level.  If it is too
complex for Red Hat (or any other vendor) to support it at standard pricing
levels, they could have "advanced security release" of product that includes
strict policy with higher price tag (that would reflect higher support 
costs). Users of cheaper products should be allowed to install strict 
policy too, but if
they need support, they'd need to switch back to targeted policy or upgrade to
"advanced security" version of product.  I see nothing wrong with such an

> Best solution for me would be that rbac on userbase could be made available
> in targeted policy.

I'm an total SELinux newbie (intend to improve on that), but yes, this 
would be
nice to have feature if possible.  In my work environmnt, we work with some
sensitive data, and we must have audit trail whenever some types of files are
touched (or we would fail external audits, which translates to lost jobs,
simple as that).  Problem with using Linux so far was lack of good auditing
tools.  SELinux looked promising on the surface, but if I can have auditing
only with strict policy, and RHEL doesn't support it, than Red Hat has put
itself out of game.  If it was possible to create "targeted" per-user/group
rules in targeted policy, with audit logging (when access is granted), that
would be good enough.

> I think you're all doing a great job, and i still believe selinux is the
> future.  Keep up the good work.

I completely agree with this.

This message was sent using IMP, the Internet Messaging Program.

More information about the fedora-selinux-list mailing list