Hi, I am pondering the best approach to design of appropriate filesystem labeling that will reduce the long term complexity of managing contexts and transitions in SeLinux. If I have a suite of services that interface within a single product and those services have the potential to share access to similar sub directory structures, but they currently only access files and execute within their own install directories. It’s obviously better to keep locked down any access outside of each services domain. However, what if all services within a product were permitted open access to all known directories within a product – apart from the obvious i.e. these services could Interfere with each other, are there any reasons why this approach would not be considered a suitable initial approach to seLinux development, with continued Evolution, adding contexts for further refinement of control over time? Are there best practice guides to filesystem labeling that considers the complexity that can Come from excessive labeling? Thanks. Ger. |
