Thanks everyone for their responses. I have another followup question. Is it mandatory to add all the neverallow rules to assert.te. If so does that imply that we need to maintain our own version of assert.te with the modifications. Thanks Anamitra & Radha -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] Sent: Wednesday, August 12, 2009 1:34 PM To: Anamitra Dutta Majumdar (anmajumd) Cc: fedora-selinux-list@xxxxxxxxxx Subject: Re: Confining Applications running as root user On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > > In our existing policy, all applications (including ones running as > root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? > > Thanks, > Anamitra & Radha. > So you want to control an administrator that is logged in as root from writing to /lib? Not very easy to do. If he can disable selinux, load kernel modules, install rpm ... He can easily circumvent your protection. > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
