Confining Applications running as root user
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 12 20:34:14 UTC 2009
On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>
>
> We are trying to migrate our existing security policies to SELinux. We
> are new to SELinux and hence are finding it difficult to map our
> existing policies.
>
> In our existing policy, all applications (including ones running as root
> user) with the exception of insmod and modprobe, are denied access to
> /lib directory. How would we go about writing such a policy without
> actually confining every application manually, since that would indeed
> be cumbersome?
>
> Thanks,
> Anamitra & Radha.
>
So you want to control an administrator that is logged in as root from writing to /lib?
Not very easy to do. If he can disable selinux, load kernel modules, install rpm ...
He can easily circumvent your protection.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list