On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote: > Hello, > I want to restrict a user, I would forbid the use of system command > such as "find, perl". > > In all documentation I've found is always to allow commands, never to > prohibit a user to do something. > Access is denied by default, if you want to allow something then you need to specify that. > it's can be done with Selinux ? or I have to "play" with the rights of > commands ? It can be done , sure (whether i makes sense to do it is another question) I do not know what you mean with "I have to "play" with the rights of commands ?" Basically what you would need to do with create private types, make the types core command executable file type, label the executable files accordingly and then specify who can execute them I am not sure what approach you are using to create your confined user but if you are using shipped selinux macros, as is, to base your new confined user policy off of then you are accepting some of the properties of these macros. One of these properties may be that it allows already your user to execute find or perl. So to create a confined user that is customized in a way that differs from what is facilitated by the distro macros you would need to work around those few "limitations" of the provided macros or create a new user domain from scratch. Basically you are providing us with too little details about your approach for me to be able to give a more specific answer. > > Thanks > Jérémy P > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
