* Colin Walters <walters@private> [2004-10-29 16:46]: > On Wed, 2004-10-27 at 23:23:22 -0100, Thomas Bleher wrote: > > > I agree that it's more flexible. However, it only works if you have a > > small number of users. Right now SELinux doesn't handle the "many users > > case" very well. > > On the system I work on we have 4300 local users. Isolating them all via > > SELinux is not very practical because the policy really explodes in your > > face here (I just tried it: 4300x full_user_role ==> policy.conf has a > > size of 1018MB, 8 million non-comment lines. checkpolicy is still > > trying to compile it as I write this) > > Hm, yes, I guess the TE matrix rather explodes in that case, > particularly if you want interactions among some of those 4300 users. > > On idea occurred to me: Could you express this as a constraint based on > the SELinux user identity (rather than the uid, which is untrustworthy). > > Something like this: > > constrain lnk_file read ( t2 != tmpfile or u1 == u2 ); Ahh! This looks really useful! Thanks for pointing it out. I'll try it on a test machine to see what breaks. > We'd just need a new attribute 'tmpfile' to mark all types like tmp_t > and derived ones such as user_tmp_t. You still need to give each > individual user their own SELinux identity, but they can still be > user_t. I already have separate identities for all users (generated with a script on policy load), makes it much easier to track down problems. So this is no problem. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 12:29:04 PDT