On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > > In our existing policy, all applications (including ones running as root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? > > Thanks, > Anamitra & Radha. > So you want to control an administrator that is logged in as root from writing to /lib? Not very easy to do. If he can disable selinux, load kernel modules, install rpm ... He can easily circumvent your protection. > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
