using selinux to control user access to files

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue May 10 15:31:53 UTC 2005


On Tue, 10 May 2005 09:55:32 CDT, alex at milivojevic.org said:

> > Best solution for me would be that rbac on userbase could be made available
> > in targeted policy.
> 
> I'm an total SELinux newbie (intend to improve on that), but yes, this 
> would be
> nice to have feature if possible.  In my work environmnt, we work with some
> sensitive data, and we must have audit trail whenever some types of files are
> touched (or we would fail external audits, which translates to lost jobs,
> simple as that).

Well, unfortunately, this is a "fish or cut bait" scenario.  Targeted looks
the way it does because all "normal userspace" gets dumped into one unconfined_t.

If you want per-(user/role/etc) separation, you really have to go to some
variant on "strict" - a *huge* part of the size of "strict" is dealing with all
those annoying interactions between domains.  If you want a user1_t and a
user2_t, you almost have to support splitting tmp_t into a user1_tmp_t and a
user2_tmp_t so user2 can't get into user1 via a tmp_t file.

I suspect what you really want here is not "targeted" but "strict with a lot
of the booleans set to loosen the policy somewhat".....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050510/cf81d72d/attachment.sig>


More information about the fedora-selinux-list mailing list