SELinux prevent users from executing programs, for security? Who cares.

I recently received the following email about using SELinux to prevent users from executing programs.
 

I just started to learn SELinux and this is nice utility if you want confine any user who interact with your system.

A lot of information on Net about how to confine programs, but can't find about confining man's :)

I found rbash (https://access.redhat.com/solutions/65822) which help me forbid execution any software inside and outside user home directory except few.

As I understand correctly to do this using SELinux I need a new user domain(customuser)  which by default should deny all or I can start with predefined       guest_t?

Next then for example I can enable netutils_exec_ping(customuser_t, customuser_r).

I responded that:

SELinux does not worry so much about executing individual programs, although it can do this.  SELinux is basically about  defining the access of a process type.  
Just because a program can execute another program does not mean  that this process type is going to be allowed the access that the program requires.  For example.  

A user running as guest_t can execute su and sudo, and even if the user might discover the       correct password to become root, they can not become root on the system, SELinux would block it.  Similarly guest_t is not allowed to connect out of the system, so being able to execute ssh or ping does not mean that the user would be able to ping another host or       ssh to another system.

This is far more powerful than just blocking access to certain programs, since the user theoretically could down load those programs to his homedir, and use them there.

There are lots of Turing complete tools that the user will get access to, that would allow them to write code to do pretty much what every application installed on the system can do.  

Bottom line:

Blocking access to system objects and Linux Capabilities is far mor powerfull then blocking a user process from executing a program on disk.

Error

Anonymous comments are disabled in this journal

default userpic

Your reply will be screened