On Thu, 2005-05-26 at 09:41 +0300, George J. Jahchan wrote:
> How can we setup private user directory that is (recursively) off-limits to
> anyone but the owner (including root), so long as the policy is being
> enforced.
>
> These directory trees would be similarly named for all users:
> "/home_dir_path/Private/" for instance.
First, what do you mean by "root"? An arbitrary uid 0 process like a
daemon or setuid application, or an authenticated administrative user?
The former is easy to restrict, as it only has the capabilities and
permissions allowed by the SELinux policy for its domain. The latter is
difficult, as an admin often has legitimate need to access all files
(e.g. backup), can subvert the OS (e.g. by installing updated OS
software or configuration files that include his own modifications), and
can bypass any OS restrictions (e.g. boot from CD or remove the disk and
put it into a system under his control).
Second, do you truly want per-user separation or just per-
role/domain/level? MAC is more oriented toward the latter. For per-
user separation, you have two options:
- use the existing Linux DAC support, i.e. set file modes in the usual
manner, and only use SELinux to help restrict what processes can
override DAC,
- define per-user entries in policy/users, define a new file type for
these directories, and define a constraint in policy/constraints so that
this type may only be accessed by a process with the same SELinux user
identity.
--
Stephen Smalley
National Security Agency
|
