From: dac.override@gmail.com (Dominick Grift)
Date: Tue, 18 Oct 2016 10:47:33 +0200
Subject: [refpolicy] Confining services without confining users
In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com>
References: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com>
Message-ID: <76da25da-fbc8-b5fe-fb56-4ba2a781c6ee@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/17/2016 11:29 PM, Fakim, Walid via refpolicy wrote:
> Hi Dominick et ALL,
> 
> Hope you're well.
> 
> I have a question around service confinement when on a system the users are not being confined - Let's take the example of httpd. So, the httpd service is confined as default within RHEL.
> 
> However, on a system given that user confinement is not being implemented, from an SELinux perspective, what extra measures can be taken? Or will system service confinement suffice?
> 
> More generally, what is the consensus around confining services without concurrently confining users?
> 
> Thanks.
> 
> Best Regards,
> 
> Walid Fakim
> 
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 

This is a nice blog for some context:
http://blog.ometer.com/2016/05/04/professional-corner-cutting/

Now that you have read the above, consider the following: SELinux is a
tool in the security toolbox of a security specialist



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161018/6e08183c/attachment.bin