Selinux policies per process, is it possible?

I

ipdemon2012-06-29 19:28:47

linux

ipdemon, 2012-06-29 19:28:47

Friends, help me understand.
There is a server on Debian on which several (up to 100 units) processes of the same type are launched from a non-privileged user in screens. The launched software has an unpleasant feature - through a certain vulnerability, the user of a separate running instance of the process can gain access to all directories and files available to the user on whose behalf it is launched.
Is it possible with selinux to block a running process in the directory from which it is launched?
Chroot - will not work, because. the control system for these running processes will completely cease to function.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey Burov, 2012-06-30
@BuriK666

Grsecurity suits you

A

Alexander Demchenko, 2012-07-03
@braindamagedman

Yes, you can do this with SELinux. The executable process is assigned a label, then a rule is written that allows it to access only resources with certain labels (contexts). Further calls outside the allowed directories, despite the fact that there are enough file access rights, are blocked by the kernel.
Try to search the web for examples of such isolation. You can start, for example, from here .