On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access. Now we like to allow: 1) Only selected guest_u users has "guest_exec_content->on" permission. (ex: user1,user3 has exec permission, but user2 don't have permission)
No this is not possible, from SELinux POV you can map more UNIX users on one SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users as guest_u so for SELinux it's one user with same permissions. If you allow boolean (ex: guest_exec_content) it will be effective for all users mapped as guest_u.
2) for users in (1) allow them to execute specific binary(~/abc.bin) but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
This is same issue like the first one. You need to have different context for user1,user3 then for user2 and have specific label for binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup? thanks.
You need to have 2 different SELinux users to be able create following setup.
Thanks, Lukas.
---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
-- Lukas Vrabec SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
