Vadym Chepkov wrote: > Hi, > > I wonder if it is possible to achieve "scp only" capability for a user just by using SELinux? Basically I want a user to be able to only upload/download files from his home via scp/sftp and nothing else. Thank you. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > As a first effort you could place the scp and sftp binaries into a separate domain, create a role that can only enter that domain, and place the user in that role. However, if shell access is required (including whatever ssh does at login time) the policy could get more complicated. You could also use the networking controls to only allow outgoing connections on the ports for scp/sftp/ssh. But in general yes SELinux is well-suited to this type of task. -- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
