[ale] Write permission
Jim Kinney
jim.kinney at gmail.com
Mon May 16 10:48:24 EDT 2016
I'm trying to envision a process that will have some funky permissions in
play and would appreciate ideas.
Data is sensitive and stored in encrypted partition. Only users in the
approved group can read in that folder.
They need to run that data through custom code that may do temporary writes
somewhere. That will need to be locked down and either encrypted or
overwritten after use (or both). This is the easy part.
I need to prevent that data from being written/copied anywhere else even if
they have write permission (home dir).
I run CentOS 7 systems so I have selinux. However, once this scales off the
individual research system to the cluster, I've disabled selinux on the
cluster for performance reasons. I can activate it if the encrypted folders
are mounted and limit runs to specific nodes if always running.
So I'm seeing (sort of. Not fully thought out yet) a rule that allows data
read with binaries of a particular type that can only write to particular
folders. Note that the final output of the data run is not sensitive but
intermediate data may be. To run a process requires writing binary to
specific folder. That folder forces all contents to be special type that is
subject to selinux rule.
Can't allow users to directly read the files in order to disallow 'cat file
> newfile' to disallowed folder.
Data files are (currently) video and output is ascii text so it's possible
to check file types on output before allowed to copy to new folder.
However, the input data files may be ascii for a different groups work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160516/7f2628d0/attachment.html>
More information about the Ale
mailing list