From: Ioannis Aslanidis <iaslanidis@flumotion.com>
To: selinux@tycho.nsa.gov
Subject: Re: Quick question
Date: Tue, 27 May 2008 21:12:51 +0200 [thread overview]
Message-ID: <483C5D33.3000800@flumotion.com> (raw)
In-Reply-To: <1211912805.19360.65.camel@moss-spartans.epoch.ncsc.mil>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Understood. That changes a little the policy, but I could still create
one mount point per user inside his own home. That still leaves me with
the possibility of listing /home, which could be achieved by removing
the read flag on the directory on normal permission mode and so on, so I
guess SELinux wouldn't be needed in that case.
Thanks for your help. If you have any comments or proposals I am open to
them.
Thanks once again,
Ioannis
Stephen Smalley wrote:
> On Tue, 2008-05-27 at 20:08 +0200, Ioannis Aslanidis wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stephen Smalley wrote:
>>> If I understand correctly, you want to provide separation on a per-user
>>> basis (not just per-role) for NFS-mounted home directories. I don't
>>> think that is realistically supportable by SELinux today, as 1) SELinux
>>> distinguishes based on security context/label, not uid, and 2) NFS
>>> doesn't support file labeling yet. Sounds more like a job for 'normal
>>> permissions' i.e. discretionary access modes and/or ACLs. There is
>>> ongoing work to support file labeling in NFSv4, but it is still in
>>> development, and even then, instantiating a separate role for every user
>>> is going to be problematic for any large number of users.
>>>
>>
>> And would there be a way to do something so that each user has a
>> different context? That is to say, I can assign a different context to
>> each user and have something easily maintained. Do you see that viable?
>
> It can be done (e.g. you can define a SELinux user in policy for each of
> your users and then use a policy constraint on the user identity field
> to enforce the separation, or you can define per-user roles in policy
> and use the RBAC support), but I'm not sure how practical it is. But
> even if it were done, without labeling support in NFS, you can't use it
> for NFS-mounted home directories (you are limited to a single context
> per filesystem there at present).
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFIPF0zFq+8w76sCAARAmICAJ9BzLJdQv1f9tWKt9SbCXAES89FvACgswzB
GV7yhgfJEZCmxUlgpq/0U4g=
=CwtZ
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-05-27 19:12 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-27 17:38 Quick question Ioannis Aslanidis
2008-05-27 17:56 ` Stephen Smalley
2008-05-27 18:08 ` Ioannis Aslanidis
2008-05-27 18:26 ` Stephen Smalley
2008-05-27 19:12 ` Ioannis Aslanidis [this message]
2008-05-27 19:47 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2015-11-05 10:34 Quick Question Eliza via Containers
2015-08-29 5:56 Larry
2015-08-29 5:13 Larry North
2015-08-29 4:44 Larry North
2015-07-15 8:50 Zach
2012-03-01 19:00 Max Lucchetti
2012-03-01 19:35 ` Junio C Hamano
2012-03-01 19:45 ` Max Lucchetti
2010-08-09 1:57 quick question Evert Vorster
2010-08-09 2:13 ` C Anthony Risinger
2006-02-13 16:36 Quick question Radoslaw Szkodzinski
2006-02-13 16:54 ` Linus Torvalds
2006-02-13 18:26 ` Radoslaw Szkodzinski
2006-02-13 20:17 ` Alex Riesen
2006-02-14 7:52 ` Junio C Hamano
2006-02-14 0:40 ` Junio C Hamano
2006-02-14 1:50 ` Radoslaw Szkodzinski
2006-02-14 2:03 ` Junio C Hamano
2006-02-14 2:21 ` Radoslaw Szkodzinski
2004-07-11 1:29 vlobanov
2004-07-11 2:09 ` John Richard Moser
2003-07-25 19:08 quick question tim fitz
2003-07-26 7:12 ` Yury Umanets
2003-06-26 11:00 Stephen Brown
2003-06-26 11:06 ` David Woodhouse
2003-06-26 12:26 ` Stephen Brown
[not found] ` <005301c33bda$9e5621a0$11c8a8c0@stevejunior>
2003-06-26 12:34 ` David Woodhouse
[not found] <200306031312.h53DCVFs026163@in1.magma.ca>
2003-06-03 17:58 ` Quick question David Stuart
2003-06-04 0:38 ` Paul Davis
2003-06-04 0:18 ` Jan Depner
2003-06-04 1:01 ` jfm3
2003-06-04 3:37 ` David Stuart
2003-06-04 13:14 ` Paul Davis
2003-06-02 20:01 David Stuart
2003-06-03 13:05 ` David Stuart
2003-06-03 12:51 ` Patrick Shirkey
2003-06-03 13:18 ` Paul Davis
2003-06-03 13:25 ` David E. Storey
2003-06-03 13:53 ` David Stuart
2003-06-03 14:15 ` Mark Knecht
2002-06-19 17:01 Adam K Kirchhoff
2002-06-20 7:44 ` Takashi Iwai
2002-05-30 20:17 Quick Question Mike Atlas
2002-05-30 20:31 ` Antony Stone
2002-05-30 20:54 ` Ramin Alidousti
2002-05-30 21:03 ` Antony Stone
2002-05-30 21:50 ` Joe Patterson
2002-05-30 22:11 ` Mike Atlas
2002-05-30 20:10 Mike Atlas
2002-06-13 17:37 ` Aldo S. Lagana
2001-10-19 15:55 rclarke2
2001-10-19 12:36 Quick question Gareth Williams
2001-10-19 12:22 ` David Woodhouse
2001-01-31 2:51 Quick Question Josh Kindler
2001-01-31 18:13 ` Michel Dänzer
1999-03-23 4:26 B
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=483C5D33.3000800@flumotion.com \
--to=iaslanidis@flumotion.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.