On Thu, 2005-03-24 at 15:58 -0500, Chris Stankaitis wrote: > If there is no 2.4 kernel solution, is there a 2.6/selinux solution to > my problem? that would not allow anyone (even root) to do anything but > append to logs? Yes, definitely. SELinux provides a fine-grained "append" permission for files that one can grant to specific domains for specific file types (such as log files). How exactly you implement this depends on which threats you are trying to counter. If you are simply trying to prevent a compromised daemon program which runs as uid 0 from changing logs, you could probably stick with the default Fedora "targeted" policy, which for a number of daemons such as Apache HTTPD already enforces this restriction. If you have daemons outside the targeted set, it is typically not too difficult to pull in the relevant policy from the "strict" into targeted, although there are a few gotchas which we can help with on fedora-selinux-list. In order to confine user logins (e.g. someone logging in as root via sshd), you will need to use the "strict" policy. You then have to make a decision on exactly what permissions to grant to the login. One option is to simply place root into the user_r role (i.e. not sysadm_r). There, the login is restricted in a way similar in effect to a Linux non-zero uid. However, system administration such as restarting daemons is not possible. It is theoretically possible to have a role similar to sysadm_r/sysadm_t but that prevents direct access to log files. However, it seems very likely to me that someone with privileges similar to sysadm_t could indirectly influence log files in other ways; e.g. by simply installing a malicious version of a daemon package. I imagine the same is true of the BSD securitylevel, of course. One nice thing about SELinux though is that you can use a tool such as "apol" to find all of those means of influence; i.e. what is the information flow from user_t to httpd_log_t. With BSD security levels you don't have any such assurance. If you have more questions about SELinux, please ask on fedora-selinux-list.
