using selinux to control user access to files
Stephen Smalley
sds at tycho.nsa.gov
Fri May 6 13:17:15 UTC 2005
On Fri, 2005-05-06 at 09:19 -0400, Daniel J Walsh wrote:
> Yes I realize that but handling things like this with MAC is not that
> easy. Writing policy
> where different user roles have R, RW,RWX, No read is not a strong suit
> of MAC.
For specific data files, it should be relatively straightforward; he
just needs to instantiate the roles via full_user_role(), define a few
new file types for the particular data he wants to restrict, and add
specific allow rules and auditallow rules between the new user domains
and the new file types. I agree that a higher level language or tool
would make life simpler, but the mechanism is certainly capable of
supporting the need.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the selinux
mailing list