strict policy

Daniel J Walsh dwalsh at
Mon Jul 25 14:39:12 UTC 2005

Todd Merritt wrote:

>I'm getting started with selinux on FC 4.  I'm using the strict policy,
>but I'd like to restrict it further so that users can only execute a
>handful of commands.  I've tried replacing full_user_role(user_t) with
>limit_user role, but the drew assertion errors when trying to load the
>policy, and I tried removing restricting the can_exec in both full and
>limited_user_role macros in macros/user_macros.te, but (at least from
>looking at audit to allow) none of this seems to be getting me where I
>want to be.  What is the beast way to remove all access from user_t so
>that I can add in the commands I want them to be able to run ?
First update to the latest rawhide strict policy.  We have not been 
updating strict policy for FC4. 
Then you probably need to remove can_exec lines from base_user_macros.   
Problem is eliminating
them might set you up with a solution where a user can not login.  Are 
you doing this with a X Windows System, or
a server?

>fedora-selinux-list mailing list
>fedora-selinux-list at


More information about the fedora-selinux-list mailing list