On 03/03/2010 01:37 AM, TaurusHarry wrote:
Hi
SELinux experts,
Thanks a lot for taking a look at my question, how could I implement
the bash "if-then-else" and "test" grammar in current refpolicy
interface? For example, if I don't want the user_t to have the
privilege to execute any kind of shell, what proper grammar should I
use to implement something with the same logic as 'if ! test "X$1" =
"Xuser_t"' in the corecomd_exec_shell interface:
interface(`corecmd_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
')
if ! test "X$1" = "Xuser_t"; then
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, shell_exec_t)
fi
')
Thank you very much!
Best regards,
Harry
搜索本应是彩色的,快来体验新一代搜索引擎-必应,精美图片每天换哦! 立即试用!
_______________________________________________
refpolicy mailing list
refpolicy@xxxxxxxxxxxxxx
http://oss.tresys.com/mailman/listinfo/refpolicy
No that would not work. You need to define a new user type that a user
can login with. user_nobin_t, or something. Then you are going to
need to define all the rules necessary for this user to login and
execute the shell_exec_t and any other programs that you want them to
run.
You write this in policy not in shell scripting.
|
