Quoting Oliver Welter ([EMAIL PROTECTED]): > Hi Mike, Serge, > > >>>So, is there any way to do this ? I guess that SELinux/GR will offer > >>>some pointers to forbid root these actions, but are there any "easier" > >>>ways ?? > >>> > >>Sounds like SELinux is the tool of choice for that. > > > >And if your concern is with the host's admins, not with exploited root > >apps on the host server, then selinux still won't help you.
But OTOH, adding selinux controls over vserver could be useful in protecting you from other exploits on the host machine. Or from sub-admins, as mentioned previously. Might be worth considering. > Partially....my second question here on the list regarding TPM support > would be a great possibility to ensure and certifiy a certain state of > the Root-Server. Kent (cc'd) might be able to give some more details, but as I recall while tpm is root-safe in some aspects, actually exploiting that to really protect something from root is Danged Difficult. What exactly would you want to protect? > But to keep on track - are they any good howtos for SELinux/vserver Haha, second hit on google says you use them together by disabling selinux :) But more seriously, you could just assign a new type (httpd_vserver_file_t) to everything under /vservers/httpd, only allow httpd_vserver_t to access those files, and make vserver an entry point to it. Not sure what you'd achieve, or exactly what you want to achieve, but we can toss the idea around and see where we get. -serge _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver