|
Hi, I have just started with Selinux, and was trying (unsuccessfully) to restrict the sysadm role as my first exercise. I am using RHEL 7.1, and running Selinux with the minimum configuration in enforcing mode. I have a user called “admin” with the context “sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023”, and uid 1000. When I login as admin and use su to become root, the context still remains the same, as one would expect. I created a simple policy to restrict the sysadm_r role for testing purposes, and was able to compile and load it. policy_module(localpolicy, 1.0.0) gen_require(` type sysadm_t; type sshd_key_t; ') allow sysadm_t sshd_key_t:file { create_file_perms write_file_perms }; The idea was to prevent the sysadm_r role from being able to read a file with the sshd_key_t type even if the uid is changed to root via the su command, by allowing “create” and “write” permissions, but not “read” permission. I would appreciate it very much if anyone could let me know what I am missing, or if there is an easy way to troubleshoot. I tried to use the “neverallow” directive (with “read” permission) but after waiting for 10 minutes, the policy did
not even load. I suspect there is some other rule in effect that grants read permission that I am not able to see using “sesearch -A”. Thanks, Raj |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
