On Tue, 2012-03-27 at 17:43 -0400, Konstantin Ryabitsev wrote: > Let me verify this in my VM, though, before I'm forced to insert my > foot > into my mouth. :) Yes, it works just as I thought. If you want to test it out: testguest.te: -------------------------------- policy_module(testguest, 1.0.0) role testguest_r; irc_role(testguest_r, testguest_t) userdom_restricted_user_template(testguest) gen_user(testguest_u, user, testguest_r, s0, s0) -------------------------------- make -f make -f /usr/share/selinux/devel/Makefile testguest.pp semodule -i testguest.pp cd /etc/selinux/targeted/contexts/users cat guest_u | sed 's/guest_u/testguest_u/g' > testguest_u useradd bob passwd bob usermod -Z testguest_u bob As a result: [bob@moppet ~]$ whoami bob [bob@moppet ~]$ id -Z testguest_u:testguest_r:testguest_t:s0 [bob@moppet ~]$ telnet irc.freenode.org 6667 Trying 94.125.182.252... telnet: connect to address 94.125.182.252: Permission denied Best, -- Konstantin Ryabitsev Systems Administrator, Kernel.org Montréal, Québec
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
