On Wed, 2017-06-21 at 08:58 -0700, Bill D wrote: > Hello, > > Is it possible to enforce directory read/write/execute control using > categories? > > For example, using a category, I would like Linux users assigned to > that > category to have read/write/execute rights to directory /opt/foo. > > Other Linux users that do not have that category assigned should not > have read/write/execute access to /opt/foo > > I know this can be done with normal DAC procedures using groups > and/or > file permission tools such as chmod and chown. > > And I also know that it can done with SELinux TE (i.e create an > SELinux > security policy) > > But can it be done by using just categories? Yes, that is how sandbox, libvirt, docker, and other tools isolate sandboxes, VMs, containers, etc. And Android uses it for user isolation and potentially app isolation in the future. Categories are suitable when your primary goal is isolation. In Fedora, you would need to mark the user domains as MCS constrained since that is no longer the default. Depending on your particular goals, you might need to revise the MCS constraints, but they may be sufficient as is. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
