From: dac.override@gmail.com (Dominick Grift) Date: Tue, 18 Oct 2016 10:47:33 +0200 Subject: [refpolicy] Confining services without confining users In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> References: <67130EC7AFA3FE4E9290B03665B351F4056B05@SE-EX022.groupinfra.com> Message-ID: <76da25da-fbc8-b5fe-fb56-4ba2a781c6ee@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/17/2016 11:29 PM, Fakim, Walid via refpolicy wrote: > Hi Dominick et ALL, > > Hope you're well. > > I have a question around service confinement when on a system the users are not being confined - Let's take the example of httpd. So, the httpd service is confined as default within RHEL. > > However, on a system given that user confinement is not being implemented, from an SELinux perspective, what extra measures can be taken? Or will system service confinement suffice? > > More generally, what is the consensus around confining services without concurrently confining users? > > Thanks. > > Best Regards, > > Walid Fakim > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > This is a nice blog for some context: http://blog.ometer.com/2016/05/04/professional-corner-cutting/ Now that you have read the above, consider the following: SELinux is a tool in the security toolbox of a security specialist -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161018/6e08183c/attachment.bin