jrey at linux.ibm.com
Wed May 13 04:18:03 AEST 2020
On 5/10/20 11:34 PM, Manojkiran Eda wrote:
> Hi All,
> This is a just a ping - to generate a discussion on the below
> mentioned use-cases.
> Appreciate any inputs/comments.
Thanks for putting this together.
I would like to see SELinux limit who can write to files under the /etc
directory. For example, bmcweb implements REST APIs add and modify
local users, control pam_tally2 account lockout parameters, etc. More
specifically, the phosphor-user-manager daemon modifies files like
/etc/shadow and /etc/pam.d/common_auth. Only this application should be
able to write to these file. Also, this daemon should not be to allowed
to write to any other config files.
> ----- Original message -----
> From: Manojkiran Eda/India/IBM
> To: openbmc at lists.ozlabs.org, rnouse at google.com
> Cc: ratagupt at linux.vnet.ibm.com
> Subject: SELinux UseCases
> Date: Thu, Apr 30, 2020 6:50 PM
> Hi All,
> (My apologies for the lengthy email.)
> Below are few use-cases in BMC, which i feel inclusion of SELinux
> would be a value add (there could be may more missing). Please
> feel free to drop-in your comments/feedback.
More information about the openbmc