|
We need to constrain a tomcat escalated root user from executing "useradd" and "semanage" commands on RHEL6.
Can we add a SELinux constraint policy to achieve the same?
A tomcat escalated root user (I.e when a "tomcat" user escalates to the "root" user on the system)
has the following security context
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:tomcatd_t:SystemLow-SystemHigh
The logic of this constraint should be be as follows..
If id="root" and source type="tomcatd_t"
Then disallow domain transition to both "useradd_exec_t" as well as "semanage_exec_t"
1. Is this something doable through an SELinux constrain policy.
2. If so what should be the syntax of the policy.
|
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
