strict policy

Todd Merritt tmerritt at
Mon Jul 25 16:44:29 UTC 2005

I've updated to the devel version of the strict policy, I tried
commenting out the can_execs from the base_user_macro.te and
user_macros.te, but I still don't see anything in the audit log when I
try running a number of programs in the bin_t domain.  Is the some sort
of tracing that I can enable to see what policy is permitting execution
of a particular program ?

On Mon, 2005-07-25 at 10:39 -0400, Daniel J Walsh wrote:
> Todd Merritt wrote:
> >I'm getting started with selinux on FC 4.  I'm using the strict policy,
> >but I'd like to restrict it further so that users can only execute a
> >handful of commands.  I've tried replacing full_user_role(user_t) with
> >limit_user role, but the drew assertion errors when trying to load the
> >policy, and I tried removing restricting the can_exec in both full and
> >limited_user_role macros in macros/user_macros.te, but (at least from
> >looking at audit to allow) none of this seems to be getting me where I
> >want to be.  What is the beast way to remove all access from user_t so
> >that I can add in the commands I want them to be able to run ?
> >
> >  
> >
> First update to the latest rawhide strict policy.  We have not been 
> updating strict policy for FC4. 
> Then you probably need to remove can_exec lines from base_user_macros.   
> Problem is eliminating
> them might set you up with a solution where a user can not login.  Are 
> you doing this with a X Windows System, or
> a server?
> >Thanks,
> >Todd
> >
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list at
> >
> >  
> >

More information about the fedora-selinux-list mailing list