On 03/26/2015 04:08 PM, W. Michael Petullo wrote: > I have a requirement which seems to be most easily satisfied by confining > unconfined users. Please let me explain: > > Imagine some file "foo" that must remain secret. Now imagine a dynamic > system which must allow arbitrary (possibly untrustworthy, possibly > as-root, possibly user-installed) programs to run. Nothing matters except > keeping "foo" secret. > > Is it possible to construct an SELinux policy which would satisfy such > a requirement? > > For example, it would be helpful to allow users to run their programs > unconfined (to allow user-installed, policyless, etc. programs) yet still > enforce the policy as it pertains to "foo". Of course, it further seems > that SELinux would also have to ensure certain other restrictions apply > to unconfined users, such as running semodule or insmod. > > Alternatively, would it be possible to construct a not-quite-unconfined > user by granting all syscalls on all objects *except* those labeled > "foo_t" (and semodule, etc.)? > > I have worked with custom policies before both for software I have written > and for standard software, but this seems a bit different. It may be that > I have my model wrong, so I would appreciate any guidance whether along > the implementation lines I suggested or not (but holding to the original > requirements). It is also possible that I have overlooked some existing > literature. > > Thank you! > Probably not. I would suggest you look into Containers with SELinux wrappers though. That might get you close to what you want. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
