|
Hi, I did find out why this was not working, since the “sshd_key_t” file type was given the attribute “non_security_file_type”, which is apparently governed by a preexisting allow directive. I can get around this by creating a new file type,
explicitly adding the attributes I need (not using the files_type macro) and creating new allow directives, but I am not sure if this approach will cause other issues in the system. So the question I have is, is it possible to remove/disassociate an attribute
from a predefined file type? Or should I be looking to reload the module that defines the type in question after appropriate changes to it, for minimal impact? Thanks, Raj From: Raj Srinivasan Hi, I have just started with Selinux, and was trying (unsuccessfully) to restrict the sysadm role as my first exercise. I am using RHEL 7.1, and running Selinux with the minimum configuration in enforcing mode. I have a user called “admin” with the context “sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023”, and uid 1000. When I login as admin and use su to become root, the context still remains the same, as one would expect. I created a simple policy to restrict the sysadm_r role for testing purposes, and was able to compile and load it. policy_module(localpolicy, 1.0.0) gen_require(` type sysadm_t; type sshd_key_t; ') allow sysadm_t sshd_key_t:file { create_file_perms write_file_perms }; The idea was to prevent the sysadm_r role from being able to read a file with the sshd_key_t type even if the uid is changed to root via the su command, by allowing “create” and “write” permissions, but not “read” permission. I would appreciate it very much if anyone could let me know what I am missing, or if there is an easy way to troubleshoot. I tried to use the “neverallow” directive (with “read” permission) but after waiting for 10 minutes, the policy did
not even load. I suspect there is some other rule in effect that grants read permission that I am not able to see using “sesearch -A”. Thanks, Raj |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
