9

I want to limit access to a single directory on the hard disk (log files) to few processes (log files for a single process for example). All processes run under the same user, so file system access restrictions are not an option.

What are my options? AppArmor? SELinux?

I don't want to restrict single processes, I want to restrict all processes from accessing a directory except a few select ones. Seems AppArmor can't do that.

leoluk
  • 193
  • 1
  • 5
  • For comparison between SELinux and AppArmor you can review my earlier post http://security.stackexchange.com/questions/29378/comparsion-between-apparmor-and-selinux – Ali Ahmad Feb 01 '13 at 19:55

3 Answers3

8

The upside -- yes, you can do this with SELinux. The downside -- you have to know SELinux. :)

You can execute these processes in different SELinux domains. E.g. let's call two processes "privapp" and "unprivapp" -- privapp is able to access /var/lib/app/log and unprivapp cannot access /var/lib/app/log, despite running as the same user.

So, you create two domains privapp_t and unprivapp_t and label the executables as privapp_exec_t and unprivapp_exec_t. You then label /var/lib/app/log as var_lib_privapp_rw_t and indicate that only a process running as privapp_t is able to access it.

This is the easy part -- the hard part is expressing the above in the policy language, which is the bit known to drive grown men and women to tears. :)

mricon
  • 6,238
  • 22
  • 27
1

I don't think you are going to be able to accomplish that with only a single user. The closest thing to what you are talking about that I can think of is the way Android does it, and that is simply that each process runs under it's own user, thus it can only access it's own files and files of those processes that allow it access. Processes themselves aren't strong identities in any system I know of.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • It's easily possible using mandatory access control, I'm just unsure about the best way to do it. – leoluk Feb 01 '13 at 19:56
  • It's even more easily possible when running processes under separate user accounts. Why use a nailgun when a hammer will suffice? – Stephen Touset Feb 01 '13 at 20:25
  • @Leoluk - Yes, mandatory access control would solve it, but you said they were running under a single user. Mandatory access control effectively means that it is being split to the process itself which is basically equivalent to giving them their own user. – AJ Henderson Feb 01 '13 at 20:27
1

I would recommend to look into remote syslog. This way you can be sure that logs cannot be deleted or tampered with.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196