Ive recently written a blog post about creating a restricted openssh login user with raw rules: https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ It works really well in Fedora 18. I am able to prevent the user from getting any information about selinux. For example: [myrole@virt ~]$ id -Z id: --context (-Z) works only on an SELinux-enabled kernel [myrole@virt ~]$ sestatus SELinux status: disabled [myrole@virt ~]$ getenforce Disabled However this does not work in RHEL6 like it does in Fedora 18 In Fedora 18 its probably blocked by disallowing the user to get attributes of its own process (?) However it seems that in RHEL6 it gets much of this information by reading the user process state files instead? Is some difference in behaviour in libselinux or some other selinux lib responsible for this? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
