SElinux integrety check
How can I check (with SELinux) access to the file by process name?
For example, we have 2 processes:
/usr/bin/foo1
/usr/bin/foo2
They are run under account with username userA
and try to open for modify file:
/home/userA/test.txt
I want that if foo1
tries开发者_JAVA百科 to open file - it's ok. But if foo2
tries to open
this file - I have message about this in /var/log
.
Problem is that both processes have the same user ID. And I can't use RBAC by username.
You'd have to give both foo1
and foo2
custom domain types to run in using SELinux policy. This would entail:
- Create types for the binaries (e.g.
foo1_exec_t
andfoo2_exec_t
) - Create types for the processes (e.g.
foo1_t
andfoo2_t
) - Specify that when the user type (likely
unconfined_t
) executesfoo1_exec_t
, it transitions tofoo1_t
and similar forfoo2
Then you need to create a custom type for test.txt
(e.g. test_t
)
Once you've done this, you can write whatever policy you like for these (including an auditallow
rule for the particular access you're looking for). The catch is that by creating custom types, you'll have to specify all access for them.
If you're not looking to do any access control, but rather just log when something happens, the audit subsystem is a better choice, though I don't know that you can be this granular with it.
精彩评论