On Wed, Nov 2, 2016 at 12:31 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 11/02/2016 11:10 AM, Patrick Doyle wrote: >> I didn't realize that saying "Allow all access" would circumvent the >> normal Linux based file permissions. I assumed that SELinux was >> layered on top of those permissions. I guess I have more to learn. > > No, my comments were with respect to SELinux, not DAC. DAC is still in > effect and SELinux does not override DAC denials. But the point > remains: if you are trying to protect against an errant root process, > then the policy you described won't provide any real protection. > OK, thanks. That's good to know. I was (perhaps foolishly) trying to describe a policy that protected the one thing I knew I wanted protected, and left everything else as (un)protected as it would be without SELinux. But I'm going to stop asking questions now until I spend more time reading the documentation, trying things, and understanding more things. I appreciate your time (and the patience) you have given me thus far. Now that I know my quest (executable, but not readable, even by root) is not impossible, it's time for me to go do some more legwork (and brainwork). And at the end of this process, I expect I'll have a solution that is even more secure than my original quest. Thanks again. --wpd _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
