SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: User Policy Setup This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tislabs.com> Date: Mon, 17 Dec 2001 15:15:15 -0500 (EST) On Mon, 17 Dec 2001 lonnie@outstep.com wrote: > I am still trying to work out my issues with getting the network working as I > am getting messages like "cannot send dump request" and "Error adding address > 192.168.1.5 for eth0". Check your kernel configuration for your network driver and your network options. Did you enable the Netlink support? This seems to be necessary on RH7.2. > My question is really about setting up the user policies. I have a special > project in which I need to confile the users to their HOME directories so that > they can NEVER navigate out of them. I also need to allow them to run just a > single application such as StarOffice, but still not let them navigate out of > their HOME directories even through the application. I raised concerns about the practical feasibility of this kind of policy in my previous response to you. However, if you really want to go down this road, you'll need to significantly pare down the example policy. You'll want to have a kernel with the Development Module option running in permissive mode so that you can easily experiment with policy changes without breaking your system. You'll need to remove many of the file-related rules in policy/domains/every.te. This file contains rules that are applied to every domain and assumes a relatively open environment with regard to read/search access to standard filesystem locations. When you remove those rules, you'll find that many of the system domains will no longer have permissions that they need, so you will need to add back more specific rules to the individual files in policy/domains/system/.te and policy/domains/program/.te that grant these permissions to just the domains that need them. Then you can work on pruning the user_domain macro in policy/domains/user/user.te to something more minimal. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 17 Dec 2001 - 15:22:09 EST This message: [ Message body ] Next message: Russell Coker: "Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm" Previous message: Stephen Smalley: "Re: Inode persistence generally - was: Re: persistent labelling on afs, jfs, xfs?" In reply to: lonnie_at_outstep.com: "User Policy Setup" Next in thread: lonnie_at_outstep.com: "Re: User Policy Setup" Reply: lonnie_at_outstep.com: "Re: User Policy Setup" Reply: lonnie_at_outstep.com: "Re: User Policy Setup" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom