On Tue, 2013-09-03 at 06:28 +0000, Anamitra Dutta Majumdar (anmajumd) wrote: > We need to constrain a tomcat escalated root user from executing "useradd" and "semanage" commands on RHEL6. > > Can we add a SELinux constraint policy to achieve the same? > > A tomcat escalated root user (I.e when a "tomcat" user escalates to the "root" user on the system) > has the following security context > > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=system_u:system_r:tomcatd_t:SystemLow-SystemHigh > > The logic of this constraint should be be as follows.. > > If id="root" and source type="tomcatd_t" > > Then disallow domain transition to both "useradd_exec_t" as well as "semanage_exec_t" > > 1. Is this something doable through an SELinux constrain policy. > 2. If so what should be the syntax of the policy. > -- I do not believe you can use traditional Linux security identifiers (uid/gid) in policy constrain statements > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
