[CentOS] selinux: how to allow access?

Tue Mar 20 13:36:52 UTC 2018
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 20 Mar 2018, hw wrote:

> which is what access rights are for

Yes and no.  You can run firefox and let it download files into the Downloads
directory, but not elsewhere.  You can run apache on port 80/443 but not let
it open up a different port.  You can stop apache reading files outside of its
webroot even though they're readable by all users.

You can't do all that with simple file permissions.

> It still doesn´t allow me as a user to make it so that a program I´m running 
> can only access the files I want it to access.  Why isn´t that a common thing 
> for users to do?  Gimp doesn´t need to have access to my emails and fvwm 
> doesn´t need to access anything but it´s configuration, etc..  Since those 
> are common things, why doesn´t selinux do it --- and in such a way that it is 
> easy to manage?

You want a *user* to be able to confine applications in this way, not an