locking down a secure-file-area

Security News wakesec at gmail.com
Thu Jun 16 21:09:22 UTC 2005

OK, what I'm trying to do now is to lock down a particular directory,
so that only people in a certain role may use the files in that
directory.  The best way I can see to do this is to have a user login
and the "newrole" their way into the new secure-area domain.

Here's what I have done thus far...
1) chcon -t securefiles_t /home/testuser/securefiles
2) I edited the policy/users file to allow certain users into a
"secureuser_r" role.
3) I edited policy/rbac to "allow user_r secureuser_r"
I created a file called policy/domains/misc/securefiles.te with the following:

<start .te file>
type secureuser_t, domain;
type securefiles_t, file_type;

role secureuser_r types secureuser_t;
allow secureuser_t securefiles_t:dir *;
allow secureuser_t securefiles:file *;
domain_auto_trans(user_t, newrole_exec_t, secureuser_t)
role_tty_type_change(user, secureuser)
allow newrole_t secureuser_t:process transition;

</end .te file>

I am able to comipile and load the policy, but when I login as
testuser and attempt to "newrole -r secureuser_r -t secureuser_t" my
terminal screen closes instantly.

My error log:
avc: denied {transition} for pid=4044 exe=/usr/bin/newrole
path=bin/bash  ... scontext=testuser:user_r:newrole_t

Any thoughts?

More information about the fedora-selinux-list mailing list