Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: System-wide Access Control: how to go about it
From: Russell Coker <russell_at_coker.com.au>
Date: Fri, 31 May 2002 01:49:01 +0200
# Nodes (default = initial SID 'node') # # address mask context # # The first matching entry is used. # 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t Define nodes for other IP addresses in a fashion similar to the above, then put in rules to grant access to the ones that are appropriate for each user. 10.0.0.1 255.255.255.255 system_u:object_r:node_user1_t
> 2. They cannot acess any files anywhere except in their chrooted system Why chroot? Why not just give each user their own domain and file type, and only allow them base access to the file system and to their own files. Something like the following in the policy file should do what you need: user_domain(user1) user_domain(user2) user_domain(user3) user_domain(user4) Then something like the following in the file contexts: /home/user1(|/.*) system_u:object_r:user1_home_t /home/user2(|/.*) system_u:object_r:user2_home_t /home/user3(|/.*) system_u:object_r:user3_home_t /home/user4(|/.*) system_u:object_r:user4_home_t
> 3. I want to be able to allow/disallow the ports they have access to. I can't think of the syntax for that at the moment, and I haven't got the time to run a test. Maybe tomorrow.
> 4. I'd like to be able to prevent them from using any IP address but the By default on SE Linux everything is denied, so it shouldn't be too difficult. ;)
> 5. Processes should not be able to "see" or interact with the host's/other Standard stuff. I've CC'd this to the SE Linux list, as it's the best place to discuss such things. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theReceived on Thu 30 May 2002 - 20:14:42 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |