using selinux to control user access to files

Daniel J Walsh dwalsh at redhat.com
Tue May 10 15:50:19 UTC 2005 

alex at milivojevic.org wrote:

> Quoting Hein Coulier <hein.coulier at infoco.be>:
>
>> Don't get me wrong : i understand why redhat shouldn't be eager to 
>> support
>> strict policies.  I also don't expect the problems to be generated by
>> redhat, but by my 3rd party products : what if websphere (and our 
>> internet
>> shop) stops running, or all our oracle databases in our 250 retail 
>> shops ?
>> Even with support, damage in $ would be to big.
>>
>> I hope that in a few years, linux will become  like a mainframe with 
>> default
>> security, and that it will be an evidence for all vendors that it's 
>> their
>> duty to provide the neccessary rules to protect and keep their 
>> systems and
>> data available.
>
>
> I'm looking at this from a bit different angle.  User can do lots of 
> damage even
> if only "standard" Unix access controls are used (file permissions and
> ownerships).  SELinux only brings this at more complex level.  If it 
> is too
> complex for Red Hat (or any other vendor) to support it at standard 
> pricing
> levels, they could have "advanced security release" of product that 
> includes
> strict policy with higher price tag (that would reflect higher support 
> costs). Users of cheaper products should be allowed to install strict 
> policy too, but if
> they need support, they'd need to switch back to targeted policy or 
> upgrade to
> "advanced security" version of product.  I see nothing wrong with such an
> approach.
>
>> Best solution for me would be that rbac on userbase could be made 
>> available
>> in targeted policy.
>
>
> I'm an total SELinux newbie (intend to improve on that), but yes, this 
> would be
> nice to have feature if possible.  In my work environmnt, we work with 
> some
> sensitive data, and we must have audit trail whenever some types of 
> files are
> touched (or we would fail external audits, which translates to lost jobs,
> simple as that).  Problem with using Linux so far was lack of good 
> auditing
> tools.  SELinux looked promising on the surface, but if I can have 
> auditing
> only with strict policy, and RHEL doesn't support it, than Red Hat has 
> put
> itself out of game.  If it was possible to create "targeted" 
> per-user/group
> rules in targeted policy, with audit logging (when access is granted), 
> that
> would be good enough.
>
You can use the Audit Framework for watching certain files with or 
without SELinux.

Have you looked at auditd and auditctl.

>> I think you're all doing a great job, and i still believe selinux is the
>> future.  Keep up the good work.
>
>
> I completely agree with this.
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--

More information about the selinux mailing list