Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 223
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
21.7.7 Owner Conditional Rules
The file rules can be extended so that they can be conditional upon the the user being
the owner of the file (the fsuid has to match the file's uid). For this purpose the owner
keyword is prepended to the rule. Owner conditional rules accumulate just as regular
file rules.
owner /home/*/** rw
When using file ownership conditions with link rules the ownership test is done against
the target file so the user must own the file to be able to link to it.
NOTE: Precedence of Regular File Rules
Owner conditional rules are considered a subset of regular file rules. If a regular
file rule overlaps with an owner conditional file rule, the resultant permissions
will be that of the regular file rule.
21.7.8 Deny Rules
Deny rules can be used to annotate or quiet known rejects. The profile generating tools
will not ask about a known reject treated with a deny rule. Such a reject will also not
show up in the audit logs when denied, keeping the log files lean. If this is not desired,
prepend the deny entry with the keyword audit.
It is also possible to use deny rules in combination with allow rules. This allows to
specify a broad allow rule, and then subtract a few known files that should not be al-
lowed. Deny rules can also be combined with owner rules, to deny files owned by the
user. The following example allows read/write access to everything in a users directory
except write access to the .ssh/ files:
deny /home/*/.ssh/** w,
/home/*/** rw,
The extensive use of deny rules is generally not encouraged, because it makes it much
harder to understand what a profile does. However a judicious use of deny rules can
simplify profiles. Therefore the tools only generate profiles denying specific files and
will not make use of globbing in deny rules. Manually edit your profiles to add deny
rules using globbing. Updating such profiles using the tools is safe, because the deny
entries will not be touched.
Profile Components and Syntax
211
Advertisement
Table of Contents
Related Manuals for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
Related Products for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
- NOVELL EDIRECTORY 8.8 SP2 - GUIDE 10-2007
- NOVELL EDIRECTORY 8.8 SP5 - GUIDE 12-2009
- NOVELL IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
- NOVELL LINUX ENTERPRISE 11 - SUBSCRIPTION MANAGEMENT TOOL GUIDE 10-02-2009
- NOVELL OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010
- NOVELL OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - UPGARDE GUIDE 10-09-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - VIRTUAL MACHINE MANAGEMENT GUIDE 10-17-2009
- NOVELL PRODUCT NAME 10.3 - DEPLOYING ZENWORKS ON CITRIX SERVER BEST PRACTICES GUIDE 12-13-2010
- NOVELL SERVER CONSOLIDATION MIGRATION TOOLKIT 1.1 - ADMINISTRATION GUIDE 12-23-2005
- NOVELL ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE 11-2010
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL CUSTOMER CENTER 2.3 - GUIDE 4-8-2009
- NOVELL IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006
- NOVELL LINUX ENTERPRISE SERVER 10 - START-UP GUIDE 06-12-2006
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE 05-15-2009