Policies for Devices?

Policies for Devices?

[Robert Mykland]

Folks,

Is there a way I can use policies to prevent a specific device, say a 
USB key, from being written to except by one specific application?  If 
so, how would I go about writing that?

Thanks in Advance,

-- Robert.

-- 
Robert Mykland               Voice: (831) 212-0622
Founder/CTO                   Ascenium Corporation
"A new world of computing fulfilling people's lives"


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policies for Devices?

[Justin Mattock]

On Apr 10, 2009, at 8:49 PM, Robert Mykland wrote:

> Folks,
>
> Is there a way I can use policies to prevent a specific device, say  
> a USB key, from being written to except by one specific  
> application?  If so, how would I go about writing that?
>
> Thanks in Advance,
>
> -- Robert.
>
> -- 
> Robert Mykland               Voice: (831) 212-0622
> Founder/CTO                   Ascenium Corporation
> "A new world of computing fulfilling people's lives"
>
>
> --
> This message was distributed to subscribers of the selinux mailing  
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
>  with
> the words "unsubscribe selinux" without quotes as the message.


from here,
normally any of my usb devices(example thumb drives)
will be denied access, until I relabel, and write the
allow rules for them into the policy.

regards,

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policies for Devices?

[Stephen Smalley]

On Fri, 2009-04-10 at 20:49 -0700, Robert Mykland wrote:
> Folks,
> 
> Is there a way I can use policies to prevent a specific device, say a 
> USB key, from being written to except by one specific application?  If 
> so, how would I go about writing that?

SELinux can control:
- what processes can access device files (read/write to the device file
types),
- what processes can mount filesystems (mount to the filesystem type,
mounton to the mountpoint directory),
- what processes can read/write a mounted filesystem (read/write to the
file types in the filesystem).

So SELinux can certainly limit the ability of applications to access
particular devices.  Exactly how one maps that down to a given system
depends on your particular environment and usage model, and may involve
more than just policy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.