On Wed, 2004-10-27 at 23:23:22 -0100, Thomas Bleher wrote: > I agree that it's more flexible. However, it only works if you have a > small number of users. Right now SELinux doesn't handle the "many users > case" very well. > On the system I work on we have 4300 local users. Isolating them all via > SELinux is not very practical because the policy really explodes in your > face here (I just tried it: 4300x full_user_role ==> policy.conf has a > size of 1018MB, 8 million non-comment lines. checkpolicy is still > trying to compile it as I write this) Hm, yes, I guess the TE matrix rather explodes in that case, particularly if you want interactions among some of those 4300 users. On idea occurred to me: Could you express this as a constraint based on the SELinux user identity (rather than the uid, which is untrustworthy). Something like this: constrain lnk_file read ( t2 != tmpfile or u1 == u2 ); We'd just need a new attribute 'tmpfile' to mark all types like tmp_t and derived ones such as user_tmp_t. You still need to give each individual user their own SELinux identity, but they can still be user_t. I don't have access to a strict policy machine at the moment (at least not one that's a live server :) ) so I can't test.
This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 07:46:54 PDT