From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 17 Oct 2016 21:05:25 -0400 Subject: [refpolicy] Confining services without confining users In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> References: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/17/16 17:29, Fakim, Walid via refpolicy wrote: > I have a question around service confinement when on a system the users > are not being confined ? Let?s take the example of httpd. So, the httpd > service is confined as default within RHEL. > > However, on a system given that user confinement is not being > implemented, from an SELinux perspective, what extra measures can be > taken? Or will system service confinement suffice? > > More generally, what is the consensus around confining services without > concurrently confining users? It depends on what your goals are. Distributions typically don't too much confinement on users because average users aren't expecting their users to be confined more than the regular Linux DAC. Targeting services allows most people to keep SELinux enforcing and gain some security benefits. If you leave your users unconfined, then you're saying that you completely trust your users (from the SELinux perspective) and only want to rely on Linux DAC protections. The problem with this amount of trust is that many users run web browsers or other network clients that may not be so trustworthy, which is why web browsers typically have some confinement and also why tools like sandbox exist. -- Chris PeBenito