[Novalug] Controlling unauthorized application usage in Linux

Ben Creitz creitz@gmail.com
Fri Mar 28 15:51:23 EDT 2008


On Fri, Mar 28, 2008 at 2:05 PM, Pete Nuwayser <nuwayser@gmail.com> wrote:
> On Fri, Mar 28, 2008 at 1:08 PM, David A. Cafaro <dac@cafaro.net> wrote:
>  > True, SELinux and AppArmor are really a league way above WSR, but if
>  >  someone (like the original question) is asking how Linux might
>  >  protect specific apps from specific users besides just user/group
>  >  permissions,  they are the options of choice.
>
>  Yeah, yeah.  I read the question, all right.  Ben asked if something
>  in Linux provided similar capabilities to WSR.  Well If I don't think
>  WSR is particularly capable, then I won't compare it to SELinux and AA
>  without fleshing out the differences, right?  ;-)

Pete, I am with you on your original post which illustrates the
differences, and I am with you that WSR does not have any practical
payoff.

My lingering question is whether or not SELinux or AA can be
successful at the type of thing the WSR pretends to offer?  As Dave
said,

"... someone (like the original question) is asking how Linux might
protect specific apps from specific users besides just user/group
permissions..."

To implement something like this in SELinux or AA, I can only picture
myself trying to write a policy that applies to every possible parent
process of a prohibited application which says "you shall not spawn
appx as a child" or similar.  Supposing I could do that (is there a
wildcard? Otherwise I have an infinite list), how is appx identified?
By a patch in the FS or by an inode, right?

Ben



More information about the Novalug mailing list