Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: selinux from user POV
From: Russell Coker <russell_at_coker.com.au>
Date: Sun, 12 Oct 2003 13:09:27 +1000
One thing that should be noted at this time is that the problem is not just creation, it's also renaming. For example if I keep a ~/www.bak directory that I can rename into place if a new change breaks something then I will want to permit Apache to serve content from it.
> Also, user webpages can't be read by apache until they are This can of course be a configuration issue. The administrator can decide whether to just grant apache access to the web content type or all files in the users' home directories.
> 1.An admin could cron relabeling to the /home partition, this is hackish You have to be really careful about hard links for this. Of course if the relabel command would open the file first, get the current context, and then only make limited changes to it (EG preserving the identity and only making type changes within the range of types that a particular role has access to).
> 2. Could give users access to a limited setfiles script with a limited Why make it read-only? If they want to copy the file_contexts file and make changes then it's their issue.
> they'd also have to be given permission to label ssh types.. (ick) That shouldn't be a problem. As they have full read-write access to the ssh types they can always achieve the same result by copying files around. We should probably just grant that access.
> --- nsa guys really won't like these--- That also fails in the case of "mv".
mkdir ~/www.new
Now my home page does not work...
> 4. (This one may be over complicated but seems like the most Loading regular expressions code into the kernel is not a good option. But extending genfs_contexts to support basic wild-cards may be an option. genfscon homefs /*/.gnupg system_u:object_r:user_gpg_secret_t genfscon homefs /*/.ssh system_u:object_r:user_home_ssh_t The problem is how to distinguish an ext3 file system used for /home from one used for /. Maybe a mount option? Maybe cat something to /selinux/ mount_context before mounting a file system? I can't imagine any way of addressing this that isn't ugly. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Sat 11 Oct 2003 - 23:09:51 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |