I've updated to the devel version of the strict policy, I tried commenting out the can_execs from the base_user_macro.te and user_macros.te, but I still don't see anything in the audit log when I try running a number of programs in the bin_t domain. Is the some sort of tracing that I can enable to see what policy is permitting execution of a particular program ? Thanks, Todd On Mon, 2005-07-25 at 10:39 -0400, Daniel J Walsh wrote: > Todd Merritt wrote: > > >I'm getting started with selinux on FC 4. I'm using the strict policy, > >but I'd like to restrict it further so that users can only execute a > >handful of commands. I've tried replacing full_user_role(user_t) with > >limit_user role, but the drew assertion errors when trying to load the > >policy, and I tried removing restricting the can_exec in both full and > >limited_user_role macros in macros/user_macros.te, but (at least from > >looking at audit to allow) none of this seems to be getting me where I > >want to be. What is the beast way to remove all access from user_t so > >that I can add in the commands I want them to be able to run ? > > > > > > > First update to the latest rawhide strict policy. We have not been > updating strict policy for FC4. > Then you probably need to remove can_exec lines from base_user_macros. > Problem is eliminating > them might set you up with a solution where a user can not login. Are > you doing this with a X Windows System, or > a server? > > >Thanks, > >Todd > > > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list@xxxxxxxxxx > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
