I have a requirement which seems to be most easily satisfied by confining unconfined users. Please let me explain: Imagine some file "foo" that must remain secret. Now imagine a dynamic system which must allow arbitrary (possibly untrustworthy, possibly as-root, possibly user-installed) programs to run. Nothing matters except keeping "foo" secret. Is it possible to construct an SELinux policy which would satisfy such a requirement? For example, it would be helpful to allow users to run their programs unconfined (to allow user-installed, policyless, etc. programs) yet still enforce the policy as it pertains to "foo". Of course, it further seems that SELinux would also have to ensure certain other restrictions apply to unconfined users, such as running semodule or insmod. Alternatively, would it be possible to construct a not-quite-unconfined user by granting all syscalls on all objects *except* those labeled "foo_t" (and semodule, etc.)? I have worked with custom policies before both for software I have written and for standard software, but this seems a bit different. It may be that I have my model wrong, so I would appreciate any guidance whether along the implementation lines I suggested or not (but holding to the original requirements). It is also possible that I have overlooked some existing literature. Thank you! -- Mike :wq -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
