Answer the question
In order to leave comments, you need to log in
Selinux policies per process, is it possible?
Friends, help me understand.
There is a server on Debian on which several (up to 100 units) processes of the same type are launched from a non-privileged user in screens. The launched software has an unpleasant feature - through a certain vulnerability, the user of a separate running instance of the process can gain access to all directories and files available to the user on whose behalf it is launched.
Is it possible with selinux to block a running process in the directory from which it is launched?
Chroot - will not work, because. the control system for these running processes will completely cease to function.
Answer the question
In order to leave comments, you need to log in
Yes, you can do this with SELinux. The executable process is assigned a label, then a rule is written that allows it to access only resources with certain labels (contexts). Further calls outside the allowed directories, despite the fact that there are enough file access rights, are blocked by the kernel.
Try to search the web for examples of such isolation. You can start, for example, from here .
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question