On 11/14/2016 08:04 AM, Naina Emmanuel wrote:
Good afternoon!
How to we can any process permission to any specific user ?
As processes run with the privileges of user under which they are
running....
do we have any policy module for that?
Good morning,
For example you have mapped Linux user (user) to SELinux user (staff_u).
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
user staff_u s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
If you execute some binary and there will be no SELinux transition,
process will run in *staff_t* user domain.
Exmaple:
$ ps -efZ | grep firefox
staff_u:staff_r:staff_t:s0:c0.c1023 user 2319 1 22 09:32 tty2
00:14:38 /usr/lib64/firefox/firefox
So, if you want change permissions for userdomains, you need to
userdomain modules. In refpolicy or selinux-policy fedora repo you can
find userdomain here:
https://github.com/fedora-selinux/selinux-policy/tree/rawhide-base/policy/modules/roles
https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/roles
Lukas.
thanks
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
/Engr. Naina Emmanuel/*
*Cryptography Certified*
*Linux Essential Certified (LEPDC)**
*
*Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila
*
*Information Security, CS Department, CIIT Islamabad
*
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
