Fedora Core 7 Policy examples to trim root users rights
Ken YANG
spng.yang at gmail.com
Mon Nov 12 09:04:22 UTC 2007
Markus Rudel wrote:
> Hello everybody,
>
> I'm currently looking into SELinux on Fedora Core 7. Right now, I've
> read "SELinux by Example" as well as several other documents on the net.
> But no document covers Fedora 7.
>
> Is there documentation especially made for Fedora 7?
Fedora wiki has some docs for SELinux in Fedora(not for 7), which has
some useful informations
>
> My main goals in using SELinux are:
>
> Trim root user rights:
> root and normal users shouldn't be able to access other user files.
> There should be one seperate user besides root, who can control and
> grant access to SELinux rights. The examples from "SELinux by Example"
> (page 309 to 311) don't work for me. the newrole command to switch to
> user admin don't work.
>
> Limiting access to insmod, lsmod etc. to avoid loading further kernel
> modules (I know, the same effect could be accomplished by using a static
> kernel, but I'm interested in limiting access to kernel modules while
> using a modular kernel).
>
> Limiting access to /dev/kmen to avoid reading memory
in F8 development cycle, dan has finished the merge of strict and
targeted policy.
In the current F8 selinux policy, there are some special users, like
xguest, which are confined only to do certain things, including
web browse(by firefox)...
i think that these relative policy are good example for your goal
>
>
> Maybe someone can help me with some example policies. I'm not so much
> interested in restraining processes, right now, my only concern and idea
> is to limit access to files and folders. This is because almost
> everything under Linux works with files. So the idea is to control
> access on just a few files. This would be very helpful for me.
>
> Right now, I'm smacking my head on the table. After installing and
> trying strict, refpolicy and mls policy, I'm stuck.
>
>
> Thanks for your help
> Markus
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list