SELinux UseCases

Wed May 13 04:18:03 AEST 2020

On 5/10/20 11:34 PM, Manojkiran Eda wrote:
> Hi All,
> This is a just a ping - to generate a discussion on the below 
> mentioned use-cases.
> Appreciate any inputs/comments.

Thanks for putting this together.

I would like to see SELinux limit who can write to files under the /etc 
directory.  For example, bmcweb implements REST APIs add and modify 
local users, control pam_tally2 account lockout parameters, etc.  More 
specifically, the phosphor-user-manager daemon modifies files like 
/etc/shadow and /etc/pam.d/common_auth.  Only this application should be 
able to write to these file.  Also, this daemon should not be to allowed 
to write to any other config files.

- Joseph

> Thanks,
> Manoj
>
>     ----- Original message -----
>     From: Manojkiran Eda/India/IBM
>     To: openbmc at lists.ozlabs.org, rnouse at google.com
>     Cc: ratagupt at linux.vnet.ibm.com
>     Subject: SELinux UseCases
>     Date: Thu, Apr 30, 2020 6:50 PM
>     Hi All,
>     (My apologies for the lengthy email.)
>     Below are few use-cases in BMC, which i feel inclusion of SELinux
>     would be a value add (there could be may more missing). Please
>     feel free to drop-in your comments/feedback.
>
...snip...