Re: guest_u with limited guest_exec_content

[Lukas Vrabec <lvrabec@xxxxxxxxxx>]

On 05/19/2017 04:56 PM, Lakshmipathi.G wrote:
> Hi Lukas,
>
> Sorry about the delay in response.
>
> Okay, will check about adding labels. I'm not sure whether categories
> or labels which is easier to implement, will explore further. thanks.

You need to have 2 SELinux users here.

Lukas.

> Thanks all for the help.
> ----
> Cheers,
> Lakshmipathi.G
> http://www.giis.co.in http://www.webminal.org
>
>
> On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote:
> > On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
> > > Hi,
> > > I need some advise/suggestion on below setup. We created  'guest_u'
> > > accounts with shell access.
> > >
> > > Now we like to allow:
> > > 1) Only selected guest_u users has "guest_exec_content->on"
> > > permission. (ex: user1,user3 has exec permission, but user2 don't have
> > > permission)
> >
> >
> > No this is not possible, from SELinux POV you can map more UNIX users on one
> > SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users
> > as guest_u so for SELinux it's one user with same permissions. If you allow
> > boolean (ex: guest_exec_content) it will be effective for all users mapped
> > as guest_u.
> >
> > > 2) for users in (1) allow them to execute specific binary(~/abc.bin)
> > > but not all. (ex: user1,user3 can execute only ~/abc.bin but can't
> > > other binary files)
> >
> > This is same issue like the first one. You need to have different context
> > for user1,user3 then for user2 and have specific label for
> > binary(abc_exec_t) and then write appropriate rules for guest_u.
> >
> > > Is that possible to achieve? any suggestion how to create such setup?
> > > thanks.
> >
> > You need to have 2 different SELinux users to be able create following
> > setup.
> >
> > Thanks,
> > Lukas.
> >
> > > ----
> > > Cheers,
> > > Lakshmipathi.G
> > > http://www.giis.co.in http://www.webminal.org
> > > _______________________________________________
> > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> >
> >
> > --
> > Lukas Vrabec
> > SELinux Solutions
> > Red Hat, Inc.
> >
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx