Quoting Oliver Welter (mail@oliwel.de):
> Hi Mike, Serge,
>
> >>>So, is there any way to do this ? I guess that SELinux/GR will offer
> >>>some pointers to forbid root these actions, but are there any "easier"
> >>>ways ??
> >>>
> >>Sounds like SELinux is the tool of choice for that.
> >
> >And if your concern is with the host's admins, not with exploited root
> >apps on the host server, then selinux still won't help you.
But OTOH, adding selinux controls over vserver could be useful in
protecting you from other exploits on the host machine. Or from
sub-admins, as mentioned previously. Might be worth considering.
> Partially....my second question here on the list regarding TPM support
> would be a great possibility to ensure and certifiy a certain state of
> the Root-Server.
Kent (cc'd) might be able to give some more details, but as I recall
while tpm is root-safe in some aspects, actually exploiting that to
really protect something from root is Danged Difficult.
What exactly would you want to protect?
> But to keep on track - are they any good howtos for SELinux/vserver
Haha, second hit on google says you use them together by disabling
selinux :)
But more seriously, you could just assign a new type
(httpd_vserver_file_t) to everything under /vservers/httpd, only allow
httpd_vserver_t to access those files, and make vserver an entry point
to it. Not sure what you'd achieve, or exactly what you want to
achieve, but we can toss the idea around and see where we get.
-serge
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Apr 26 04:41:55 2006