On Thu, 2005-05-26 at 09:41 +0300, George J. Jahchan wrote: First, what do you mean by "root"? An arbitrary uid 0 process like a daemon or setuid application, or an authenticated administrative user? The former is easy to restrict, as it only has the capabilities and permissions allowed by the SELinux policy for its domain. The latter is difficult, as an admin often has legitimate need to access all files (e.g. backup), can subvert the OS (e.g. by installing updated OS software or configuration files that include his own modifications), and can bypass any OS restrictions (e.g. boot from CD or remove the disk and put it into a system under his control). Second, do you truly want per-user separation or just per- role/domain/level? MAC is more oriented toward the latter. For per- user separation, you have two options: - use the existing Linux DAC support, i.e. set file modes in the usual manner, and only use SELinux to help restrict what processes can override DAC, - define per-user entries in policy/users, define a new file type for these directories, and define a constraint in policy/constraints so that this type may only be accessed by a process with the same SELinux user identity. -- Stephen Smalley National Security Agency

On 27 May 2005, at 17:55, Ma. Alejandra Castillo M. wrote: What kind of policy? SELinux policy? Maintenance/upgrades policy? Please, explain? PS: Now, in Spanish: ¿Qué tipo de política? ¿La política de SELinux? ¿Política de mantenimiento y actualizaciones? Por favor, explícate mejor.

Ma. Alejandra Castillo M. wrote: depends on the selinux-policy you are using. in the (default) targeted policy, sshd runs in the unconfined domain: [root@tiffy rhds]# ps -AZ|grep sshd user_u:system_r:unconfined_t 4249 ? 00:00:00 sshd [root@tiffy rhds]# but of course you can use another selinux-policy which has its own domain for sshd, or write your own. happy day. thorsten -- Thorsten Scherf <tscherf(a)redhat.com&gt;