On Fri, Dec 22, 2006 at 08:52:14AM -0600, robm wrote:
> I was thinking of using SELinux in some way but I am still not clear if
> it will help in this situation
SELinux could work in tandem with normal user/group permissions. The
difficult part would be figuring out what can't be locked down, I suspect
the Mandriva GUI probably needs to write/create files/sockets.
You should first try and get it working with normal permissions, then set up
SELinux policies as a backup.
There are also some subtleties with SELinux, for example when you create a
file, the policy applied is that of the context in which you create it. If
you happen to move a file created elsewhere with a different policy, it will
follow the file. I've run into this, on one of our servers after some
updates were applied to a vendor supported web application. If you don't
know what I'm talking about, it probably means you need to spend some time
learning SELinux before trying to user it.
Received on Fri Dec 22 10:02:36 2006
This archive was generated by hypermail 2.1.8 : Fri Dec 22 2006 - 10:02:42 CST