3

I have a client with a legacy application running on RH 3 (=the latest version supported by app). There is a process that has to run as root (and not in a chroot environment). I need to prevent this process from accessing some sensitive data files.

According to this post, it seems SELinux can do this: Restrict access to a specific directory on Linux

However, I do not know SELinux and I am trying to find out if my specific scenario is possible on such an old RH distro and with the process running as root. If it is, I'll need to read up on SELinux (unless there is an easier way to accomplish this).

Is this possible? If so, some details / pointers would be great.

Community
  • 1
Zek
  • 133
  • 2

1 Answers1

3

There are two solutions:

  1. Use a tool like SELinux. It's designed specifically for this particular task, but it takes some real understanding to use effectively. You'll need more than just a few pointers, you need to go read and understand the documentation.

  2. Use a virtual machine. The "root" program runs in its own VM on your server and can't see anything outside its own little world.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • #1: My specific question was if SELinux can do this with the process in question running as root (and if so, if even older versions of SELinux [RH 3 / Kernel 2.4] supports this). IF it can, I need to invest the time to learn how. #2: Not a solution - the process needs to run where the data files are (but w/o access to certain files). – Zek Aug 07 '13 at 02:24
  • SELinux is an access control layer *in addition to* the user/permissions model. So "root" gets you past layer 1, but beyond that the SELinux layer adds a whole new set of permissions and ownership roles. – tylerl Aug 07 '13 at 03:20
  • Got it. So it sounds like it should work (just need to figure out how, without breaking the legacy app). Thanks! – Zek Aug 07 '13 at 04:00