Russell Coker wrote:
On Monday 24 March 2008 02:54, "cinthya aranguren"
<cinthya.aranguren@xxxxxxxxx> wrote:
Is there any way to avoid o remove DAC controls ? I'd like to have only one
security scheme in my system. I mean a pure SElinux system. not DAC + MAC.
only MAC.
Back in about 2003 as an experiment I changed the ownership of all files on a
SE Linux strict system to root and changed the permission to 777. It didn't
work very well. One problem was that many programs rely on the Unix
Right, that wouldn't work well because it would deteriorate, programs
set umasks when making files, etc. Just ignoring the bits would probably
work alot better :)
permissions to identify the difference between a configuration file and a
shell script. In directories such as /etc there is not sufficiently
fine-grained SE Linux labelling to replace this use of Unix permissions.
Why does that matter? /etc is read only for the vast majority of
processes and anything with passwords, etc in them should have their own
labels.
It's possible that in the last 5 years things have changed significantly, but
my last experiments showed enough obstacles to make me not want to bother
going further with it.
we certainly have alot more types today, I'm not sure if that was the
real obstacle though.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
