Re: [RFC] [PATCH] Replace security fields with hashtable

From: Thomas Bleher (
Date: Fri Oct 29 2004 - 12:29:26 PDT

* Colin Walters <walters@private> [2004-10-29 16:46]:
> On Wed, 2004-10-27 at 23:23:22 -0100, Thomas Bleher wrote:
> > I agree that it's more flexible. However, it only works if you have a 
> > small number of users. Right now SELinux doesn't handle the "many users 
> > case" very well. 
> > On the system I work on we have 4300 local users. Isolating them all via 
> > SELinux is not very practical because the policy really explodes in your 
> > face here (I just tried it: 4300x full_user_role ==> policy.conf has a 
> > size of 1018MB, 8 million non-comment lines. checkpolicy is still 
> > trying to compile it as I write this)
> Hm, yes, I guess the TE matrix rather explodes in that case,
> particularly if you want interactions among some of those 4300 users.
> On idea occurred to me: Could you express this as a constraint based on
> the SELinux user identity (rather than the uid, which is untrustworthy).
> Something like this:
> constrain lnk_file read ( t2 != tmpfile or u1 == u2 );

Ahh! This looks really useful! Thanks for pointing it out. I'll try it
on a test machine to see what breaks.

> We'd just need a new attribute 'tmpfile' to mark all types like tmp_t
> and derived ones such as user_tmp_t.  You still need to give each
> individual user their own SELinux identity, but they can still be
> user_t.

I already have separate identities for all users (generated with a
script on policy load), makes it much easier to track down problems. So
this is no problem.


-- - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 12:29:04 PDT