On 06/21/2017 09:23 AM, Stephen Smalley wrote:
On Wed, 2017-06-21 at 08:58 -0700, Bill D wrote:
Hello,
Is it possible to enforce directory read/write/execute control using
categories?
For example, using a category, I would like Linux users assigned to
that
category to have read/write/execute rights to directory /opt/foo.
Other Linux users that do not have that category assigned should not
have read/write/execute access to /opt/foo
I know this can be done with normal DAC procedures using groups
and/or
file permission tools such as chmod and chown.
And I also know that it can done with SELinux TE (i.e create an
SELinux
security policy)
But can it be done by using just categories?
Yes, that is how sandbox, libvirt, docker, and other tools isolate
sandboxes, VMs, containers, etc. And Android uses it for user
isolation and potentially app isolation in the future. Categories are
suitable when your primary goal is isolation.
In Fedora, you would need to mark the user domains as MCS constrained
since that is no longer the default. Depending on your particular
goals, you might need to revise the MCS constraints, but they may be
sufficient as is.
Thank you for the information. I am using RHEL 6.9 and CentOS 6.9.
Any pointers on how to mark the user domains as MCS constrained and how
to view the existing MCS constraints for verification?
Regards,
Bill
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
