-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/11/2013 05:49 AM, Dominick Grift wrote: > Ive recently written a blog post about creating a restricted openssh login > user with raw rules: > https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ > > It works really well in Fedora 18. I am able to prevent the user from > getting any information about selinux. For example: > > [myrole@virt ~]$ id -Z id: --context (-Z) works only on an SELinux-enabled > kernel [myrole@virt ~]$ sestatus SELinux status: disabled > [myrole@virt ~]$ getenforce Disabled > > However this does not work in RHEL6 like it does in Fedora 18 > > In Fedora 18 its probably blocked by disallowing the user to get attributes > of its own process (?) > > However it seems that in RHEL6 it gets much of this information by reading > the user process state files instead? > > Is some difference in behaviour in libselinux or some other selinux lib > responsible for this? > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > I think there were changes to libselinux to interpret a read only /selinux into SELinux disabled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEZHPUACgkQrlYvE4MpobOqewCgzHVVvSmBgrgdui6JlDU6f+9b LScAoL7gxJuxeFQziWuITcJNvc+XBmie =UeZN -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
