On Wed, 2005-05-25 at 21:39 -0500, Serge E. Hallyn wrote: > A few years ago, while I was still working on DTE, I was contacted by > someone who ran a large web-cgi farm. He wanted to know whether DTE > could be used to satisfy his security goals. In particular, he had 100k > users who could use a few global cgi scripts, but once they ran cgi > scripts under their own directory, those scripts should only be able to > access files under their own home directory, with a few predefined > exceptions. In addition it shouldn't be "hard" to add or remove users. > > To express this in TE would require a very large policy, with policy > reloads for user add/remove. I'm not clear I understand why. SELinux constraints on the user identities or DAC could cover the user-based restrictions, with just a few types and TE rules to deal with the notions of global cgi scripts vs. others. As far as adding and removing users goes, policy reload is necessary, but adding/removing users has become much simpler in FC4 via /etc/selinux/strict/users/local.users; you no longer need to rebuild the binary policy file. And the binary policy module work will allow other kinds of customizations more easily on end systems. > To take away this kind of flexibility from people actually trying to > install real systems should not be done lightly. I think this is a misunderstanding; there is no loss in freedom; you are still free to patch the kernel to do what you wish, and in fact, you could just as easily patch SELinux to call your own hooks on entry to its hook functions if you wanted to avoid trying to track the core kernel changes. It is just a question of whether the core kernel itself needs to directly provide support for out-of-tree LSMs. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Thu May 26 2005 - 06:40:06 PDT