Hi Lukas, Sorry about the delay in response. Okay, will check about adding labels. I'm not sure whether categories or labels which is easier to implement, will explore further. thanks. Thanks all for the help. ---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: > On 05/06/2017 09:51 AM, Lakshmipathi.G wrote: >> >> Hi, >> I need some advise/suggestion on below setup. We created 'guest_u' >> accounts with shell access. >> >> Now we like to allow: >> 1) Only selected guest_u users has "guest_exec_content->on" >> permission. (ex: user1,user3 has exec permission, but user2 don't have >> permission) > > > No this is not possible, from SELinux POV you can map more UNIX users on one > SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users > as guest_u so for SELinux it's one user with same permissions. If you allow > boolean (ex: guest_exec_content) it will be effective for all users mapped > as guest_u. > >> 2) for users in (1) allow them to execute specific binary(~/abc.bin) >> but not all. (ex: user1,user3 can execute only ~/abc.bin but can't >> other binary files) >> > > This is same issue like the first one. You need to have different context > for user1,user3 then for user2 and have specific label for > binary(abc_exec_t) and then write appropriate rules for guest_u. > >> Is that possible to achieve? any suggestion how to create such setup? >> thanks. >> > > You need to have 2 different SELinux users to be able create following > setup. > > Thanks, > Lukas. > >> ---- >> Cheers, >> Lakshmipathi.G >> http://www.giis.co.in http://www.webminal.org >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> > > > -- > Lukas Vrabec > SELinux Solutions > Red Hat, Inc. > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
