Confining Applications running as root user

Anamitra Dutta Majumdar (anmajumd) anmajumd at
Fri Aug 21 18:44:23 UTC 2009

Thanks everyone for their responses.
I have another followup question.

Is it mandatory to add all the neverallow rules to assert.te. If so does
that imply that we need to maintain  our own version of assert.te with
the modifications.

Anamitra & Radha

-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at] 
Sent: Wednesday, August 12, 2009 1:34 PM
To: Anamitra Dutta Majumdar (anmajumd)
Cc: fedora-selinux-list at
Subject: Re: Confining Applications running as root user

On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> We are trying to migrate our existing security policies to SELinux. We

> are new to SELinux and hence are finding it difficult to map our 
> existing policies.
> In our existing policy, all applications (including ones running as 
> root
> user) with the exception of insmod and modprobe, are denied access to 
> /lib directory. How would we go about writing such a policy without 
> actually confining every application manually, since that would indeed

> be cumbersome?
> Thanks,
> Anamitra & Radha.
So you want to control an administrator that is logged in as root from
writing to /lib?

Not very easy to do.  If he can disable selinux, load kernel modules,
install rpm ...

He can easily circumvent your protection.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at

More information about the fedora-selinux-list mailing list