Re: rpm_exec and confined type for rpm scriptlets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/18/2015 03:53 AM, Cretu Adrian wrote:
> 
> Hi,
> Is there a way I can permit a user confined by selinux to run rpm but
> the scriptlets to be executed in user's domain type instead of
> rpm_script_t ?
> 
> I have a use case where I need to permit some users to install rpms but
> in same time I need to confine them so would not interfere with files
> that define network interfaces/kernel and so on.

I think you would need to define a domain transition from the user's
domain type (let's say user_t) to a new domain (let's say user_rpm_t)
upon executing rpm_exec_t so that rpm will run in that domain, and then
define a domain transition back from user_rpm_t to user_t upon executing
shell_exec_t so that rpm scriptlets will run in user_t. Or you could
define a user_rpm_script_t domain for that purpose.  If you define a
domain transition, it will use that instead of using rpm_script_t.  But
you not only need rpm scriptlets to run in a different domain; you also
need rpm itself to run in a different domain if you want to prevent the
user from overwriting arbitrary files.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux