I'd like to take advantage of SELinux ability to restrict a group of Linux processes. The group is unprivileged users with high enough UID (say, >1000). This I want to do on a shared hosting server, where many different customers run their PHP scripts. Currently, SELinux is off.
More specifically, I'd like to ban creation of symlinks and perhaps a few other similar rules, due to various symlink-related attacks, for example see
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+symlink+race
I think such use of SELinux is possible using a rule in base policy, a short rule that does something like (pseudo code):
"allow everything that SELinux Off does"
neverallow $source_type $target_type : lnk_file write;
where in source_type and target_type somehow the targeted group of unix users will be specified (sorry if that is wrong, I'm not very familiar with SELinux yet).
However, this is pretty much the only thing I want SELinux to do.
I'd rather not use full default policy distributed by Redhat or other Linux distributions, for that is very restrictive and could lead to a lot of problems with currently working applications.
Is there some problem with running SELinux with so permissive a policy? Or, is there some other preferred way to achieve this kind of restriction?
