using selinux to control user access to files
Daniel J Walsh
dwalsh at redhat.com
Tue May 10 15:50:19 UTC 2005
alex at milivojevic.org wrote:
> Quoting Hein Coulier <hein.coulier at infoco.be>:
>
>> Don't get me wrong : i understand why redhat shouldn't be eager to
>> support
>> strict policies. I also don't expect the problems to be generated by
>> redhat, but by my 3rd party products : what if websphere (and our
>> internet
>> shop) stops running, or all our oracle databases in our 250 retail
>> shops ?
>> Even with support, damage in $ would be to big.
>>
>> I hope that in a few years, linux will become like a mainframe with
>> default
>> security, and that it will be an evidence for all vendors that it's
>> their
>> duty to provide the neccessary rules to protect and keep their
>> systems and
>> data available.
>
>
> I'm looking at this from a bit different angle. User can do lots of
> damage even
> if only "standard" Unix access controls are used (file permissions and
> ownerships). SELinux only brings this at more complex level. If it
> is too
> complex for Red Hat (or any other vendor) to support it at standard
> pricing
> levels, they could have "advanced security release" of product that
> includes
> strict policy with higher price tag (that would reflect higher support
> costs). Users of cheaper products should be allowed to install strict
> policy too, but if
> they need support, they'd need to switch back to targeted policy or
> upgrade to
> "advanced security" version of product. I see nothing wrong with such an
> approach.
>
>> Best solution for me would be that rbac on userbase could be made
>> available
>> in targeted policy.
>
>
> I'm an total SELinux newbie (intend to improve on that), but yes, this
> would be
> nice to have feature if possible. In my work environmnt, we work with
> some
> sensitive data, and we must have audit trail whenever some types of
> files are
> touched (or we would fail external audits, which translates to lost jobs,
> simple as that). Problem with using Linux so far was lack of good
> auditing
> tools. SELinux looked promising on the surface, but if I can have
> auditing
> only with strict policy, and RHEL doesn't support it, than Red Hat has
> put
> itself out of game. If it was possible to create "targeted"
> per-user/group
> rules in targeted policy, with audit logging (when access is granted),
> that
> would be good enough.
>
You can use the Audit Framework for watching certain files with or
without SELinux.
Have you looked at auditd and auditctl.
>> I think you're all doing a great job, and i still believe selinux is the
>> future. Keep up the good work.
>
>
> I completely agree with this.
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
More information about the selinux
mailing list