|
Hi SELinux experts, Thanks a lot for taking a look at my question, how could I implement the bash "if-then-else" and "test" grammar in current refpolicy interface? For example, if I don't want the user_t to have the privilege to execute any kind of shell, what proper grammar should I use to implement something with the same logic as 'if ! test "X$1" = "Xuser_t"' in the corecomd_exec_shell interface: interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') if ! test "X$1" = "Xuser_t"; then list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, shell_exec_t) fi ') Thank yo! u very much! Best regards, Harry 搜索本应是彩色的,快来体验新一代搜索引擎-必应,精美图片每天换哦! 立即试用! |
