Re: Naming convention flames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2 Apr 2004, Dax Kelson wrote:

> I'm a fan of SELinux with it's way enforce the "correct behavior" of
> applications, but if you are just narrowly looking at the a solution for
> granular file permissions, then POSIX file ACLs are all you need.

Perhaps in a very limited way.  You have no central policy for determining
how the ACLs are applied, nor any mechanism for enforcing security policy.  
Management of security can become unwieldy from a user point of view as
the access rights are stored with the objects, e.g. "which files can bilbo
execute?" or "ensure that frodo can't read any files created by pippin"
would involve expensive, non-atomic traversals of entire filesystems.

> Speaking of which, how does SELinux file permissions interact with a
> directory that has a default ACL applied?

SELinux only provides additional restrictions to existing DAC logic, so if
the ACL says "ok", SELinux can still override it.  If the ACL says "no",
access will be denied before SELinux is invoked.


- James
-- 
James Morris
<jmorris@xxxxxxxxxx>



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux