Am 07.02.2018 um 21:56 schrieb James
Ralston:
I don't think there is a readymade AppLocker thing for linux. There is Linux IMA which maybe could be used to run only signed code.Our users have a tendency to install software that, per company policy, is not permitted to be installed. Most users have sudo privileges on their hosts, which is how they install the software. https://lwn.net/Articles/733431/ http://linux-ima.sourceforge.net/ SELinux might support you by not giving users rights to install software at all. But If they don't have the rights to install software normally also implies they can't do what they need to. ;-) Note that we *are not* trying to stop malicious users from deliberately installing software they know is forbidden. Our main problem is that our users typically don't bother to consult the "forbidden software" list before installing. You could have a policy that only signed RPM's can be installed and implement monitoring of installed rpm gpg keys and verify all installed packages match a known signature. There is some ugly looking rpm command to list rpm's with its signing key: http://lists.rpm.org/pipermail/rpm-list/2011-December/001048.html And an example command to list installed rpm gpg keys: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' - Thomas |
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx