On 11/17/10 07:54, Roberto Sassu wrote: > i'm using the Fedora 13 operating system with shipped SELinux policy. > I want to add a basic protection for regular users by using the UBAC feature and > letting them to log on the system with the confined domain 'user_t'. > A problem that i have found when using the policy with this feature enabled > is that root logs on the system with user 'unconfined_u' or 'root' and files created > or updated after doing an administrative task cannot be accessed by regular users. > In order to have the system working i have to execute root processes that > make changes on the system with user 'system_u'. This should only be the case for user files and domains. Other system files, such as those in /etc, should be unaffected. > One solution to overcome this issue may be to add an exception to the policy, > as done for the 'system_u' user, so that UBAC will be applied only to SELinux users > tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u' > unprotected. > Does this is the right way to modify the policy in order to enforce the protection > required or there are other alternatives? It depends on your security goals. If that still meets your goals, then yes. I would not include this upstream as it requires separation of all users. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
