Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRBAC/Types Hierarchy
From: Eric Peters <eric_at_peters.org>
Date: Wed, 15 Aug 2001 12:38:49 -0700
> You could certainly modify or replace the example SELinux security server I believe due to the nature of the extended hierarchy, that I will need to have an explicit representation of the permissions. I'm essentially looking to implement a web hosting solution, which would allow a "controlling" account to read/write, send signals to processes, (and possibly su?!? - via explicit transitions) to the "child" accounts. My current idea is to have a new domain for every user, a new role for every user, and corresponding /home/thisuser(|/.*) system_u:object_r:thisuser_home_t
entries in the file_contexts such that in the rbac config, when a
"controlling" account is defined, in addition to his "controllinguser_t"
type,
controllinguser_t thisuser_t } The thisuser_t can be associated, and transitions setup for controllinguser_r to thisuser_r. When installing SELinux, the install process requires an effective reboot after changing the file_contexts so that the new contexts can be enforced on the system. This means of having so many domains, types, and roles, would require alot of "maintenance" when new accounts are added/deleted/edited - however I'm going to have to be managing that anyhow. My real "question" is can the setfiles, (assuming I suppose, it gets a domain established so in runtime it can properly transition to the required roles and set file contexts), and updating the policies be entirely done in a "run time" environment, or would I need to go about redressing this need as well. The means I've gone about installing SELinux don't seem very sympathetic to this runtime change :) Thanks again for all your time, Eric -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 15 Aug 2001 - 15:55:18 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |