| ▲ | silverquiet 12 hours ago | |
Doesn't SELinux do that (and more)? | ||
| ▲ | zokier 7 hours ago | parent | next [-] | |
selinux doesn't really provide anything like ProtectHome or PrivateTmp mentioned in the article. SELinux only does access control, while systemd can create new resources that are scoped to specific service. | ||
| ▲ | amluto 12 hours ago | parent | prev [-] | |
The problem is the “more”. SELinux is extremely flexible and does what the configuration tells it to do. And it does not compose well. Want to point whateverd at /var/lib/whatever? Probably works if the distro packages are correct. Want to make /var/lib/whatever be a symlink? Probably does not do what you expect. Want to run a different daemon that accesses /var/lib/whatever or mount it into a container? Good luck. Want to run a second copy of the distro’s whateverd and point it at a different directory? The result depends on how the policy works. And worst: want to understand what the actual security properties of your policy are? The answer is buried very, very deep. | ||