Thanks for the details. ---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org On Mon, May 22, 2017 at 5:45 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: > On 05/19/2017 04:56 PM, Lakshmipathi.G wrote: >> >> Hi Lukas, >> >> Sorry about the delay in response. >> >> Okay, will check about adding labels. I'm not sure whether categories >> or labels which is easier to implement, will explore further. thanks. >> > > You need to have 2 SELinux users here. > > Lukas. > > >> Thanks all for the help. >> ---- >> Cheers, >> Lakshmipathi.G >> http://www.giis.co.in http://www.webminal.org >> >> >> On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: >>> >>> On 05/06/2017 09:51 AM, Lakshmipathi.G wrote: >>>> >>>> >>>> Hi, >>>> I need some advise/suggestion on below setup. We created 'guest_u' >>>> accounts with shell access. >>>> >>>> Now we like to allow: >>>> 1) Only selected guest_u users has "guest_exec_content->on" >>>> permission. (ex: user1,user3 has exec permission, but user2 don't have >>>> permission) >>> >>> >>> >>> No this is not possible, from SELinux POV you can map more UNIX users on >>> one >>> SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these >>> users >>> as guest_u so for SELinux it's one user with same permissions. If you >>> allow >>> boolean (ex: guest_exec_content) it will be effective for all users >>> mapped >>> as guest_u. >>> >>>> 2) for users in (1) allow them to execute specific binary(~/abc.bin) >>>> but not all. (ex: user1,user3 can execute only ~/abc.bin but can't >>>> other binary files) >>>> >>> >>> This is same issue like the first one. You need to have different context >>> for user1,user3 then for user2 and have specific label for >>> binary(abc_exec_t) and then write appropriate rules for guest_u. >>> >>>> Is that possible to achieve? any suggestion how to create such setup? >>>> thanks. >>>> >>> >>> You need to have 2 different SELinux users to be able create following >>> setup. >>> >>> Thanks, >>> Lukas. >>> >>>> ---- >>>> Cheers, >>>> Lakshmipathi.G >>>> http://www.giis.co.in http://www.webminal.org >>>> _______________________________________________ >>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> >>> >>> >>> -- >>> Lukas Vrabec >>> SELinux Solutions >>> Red Hat, Inc. >>> >>> _______________________________________________ >>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > > -- > Lukas Vrabec > Software Engineer, Security Technologies > Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
