* Colin Walters <walters@private> [2004-10-28 01:02]:
> On Wed, 2004-10-27 at 18:29 -0400, Colin Walters wrote:
>
> > That's true, I guess it is useful if you still want them to be able to
> > share files etc (which full_user_role currently prevents without
> > additional work).
>
> Although, the additional work here is actually quite small (if indeed
> you do want these users to be able to access each other's files).
>
> full_user_role(bob)
> full_user_role(jane)
> define(`user_readonly_share',`
> allow $1_t $2_home_dir_t:dir { getattr search };
> r_dir_file($1_t, $2_home_t)
> allow $2_t $1_home_dir_t:dir { getattr search };
> r_dir_file($2_t, $1_home_t)
> ')
> user_readonly_share(bob, jane)
>
> This is all much more flexible than the approach of not allowing
> symlinks you don't own. For example, it would certainly be annoying not
> to be able to read users' symlinks in /tmp to debug problems when I'm
> logged in as the system administrator, and have to chown them, then
> chown them back...).
I agree that it's more flexible. However, it only works if you have a
small number of users. Right now SELinux doesn't handle the "many users
case" very well.
On the system I work on we have 4300 local users. Isolating them all via
SELinux is not very practical because the policy really explodes in your
face here (I just tried it: 4300x full_user_role ==> policy.conf has a
size of 1018MB, 8 million non-comment lines. checkpolicy is still
trying to compile it as I write this)
Aside from that, managing such a huge policy would also be a nightmare:
I work in a university environment where users need to share files
(sometimes rw). While this may not be a typical usage scenario, I'd like
to have some stackable LSMs which provide stronger DAC protections in
addition to MAC.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 23:23:13 PDT