Restrict unconfined_u access to a dir in targed mode

Daniel J Walsh dwalsh at redhat.com
Mon Feb 21 16:32:04 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 11:28 AM, Matthew Davis wrote:
> Is it possible? I'm curious if you can restrict root from accessing a
> given directory and limit it to a specific domain. Maybe this isn't
> how targeted policy was designed, and the strict policy is needed. But
> I was curious, and couldn't figure out a good way to do it.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


If you want to write policy for a confined administrator, it is better
to start with, what you want to allow rather then what you want to deny.

In RHEL6 Targeted Policy I can build a policy for a user process running
as root to have access to only limited directories.  In RHEL5 you would
need to do this with strict policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ik4QACgkQrlYvE4MpobNYQgCeIxDlavdkAnfoBpYs0/X6m/hP
arUAoI3D2K9XnS24s+lB9Zdc8rxlLQ3m
=WGxy
-----END PGP SIGNATURE-----


More information about the selinux mailing list