On 05/19/2017 04:56 PM, Lakshmipathi.G wrote:
Hi Lukas,
Sorry about the delay in response.
Okay, will check about adding labels. I'm not sure whether categories
or labels which is easier to implement, will explore further. thanks.
You need to have 2 SELinux users here.
Lukas.
Thanks all for the help.
----
Cheers,
Lakshmipathi.G
http://www.giis.co.in http://www.webminal.org
On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote:
On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi,
I need some advise/suggestion on below setup. We created 'guest_u'
accounts with shell access.
Now we like to allow:
1) Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have
permission)
No this is not possible, from SELinux POV you can map more UNIX users on one
SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users
as guest_u so for SELinux it's one user with same permissions. If you allow
boolean (ex: guest_exec_content) it will be effective for all users mapped
as guest_u.
2) for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't
other binary files)
This is same issue like the first one. You need to have different context
for user1,user3 then for user2 and have specific label for
binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup?
thanks.
You need to have 2 different SELinux users to be able create following
setup.
Thanks,
Lukas.
----
Cheers,
Lakshmipathi.G
http://www.giis.co.in http://www.webminal.org
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx