On Mon, 21 Jan 2002, Lonnie Cumberland wrote:

> I will next be installing OpenOffice/StarOffice on my SELinux server
> but would like not to allow the guest domain users to run many of the
> existing applications that are in the "/bin /sbin /usr/bin ...."
> directories.
>
> Perhaps only allow them to run just a few that I will decide upon.

What do you hope to achieve by this restriction? What do you gain in security by preventing a user from running a program in /bin if he can run OpenOffice/StarOffice? Do you really care what programs can be run by the user, or just what processes and files he can access, regardless of the program that he happens to use?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.