denying group of users from r/w/x files
Dominick Grift
domg472 at gmail.com
Tue Feb 10 11:00:58 UTC 2009
On Mon, 2009-02-09 at 22:59 -0600, Ali Hamad wrote:
> Hello :
> remove all the Selinux rules ( targeted ) since I really do not need
> them. I only need selinux to do only the following :
If you remove all SELinux rules then all access will be denied. The
system with not be able to operate then i think.
You can however, if required, remove the unconfined module. But in my
view that is not required. Just don't map any users to that unconfined
domain.
> a) create a rule for file that can not be accessed from known group
> of users. i.e group A can not read/write/execute this file. However,
> the file permission is 666 and that file permission can not be changed.
> b) directory that has permission of 777. However, group A of users
> can not write/read/execute it.
You could create a user domain for each or one of the two group(s) of
users, create a files type and only give the user domain that needs to
be able to access files with that type permission to read/write/execute.
mkdir ~/myuser1; cd ~/myuser1;
echo "policy_module(myuser1, 0.0.1)" > myuser1.te;
echo "role myuser1_r;" >> myuser1.te;
echo "userdom_unpriv_user_template(myuser1)" >> myuser1.te;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myuser1.pp
mkdir ~/myuser2; cd ~/myuser2;
echo "policy_module(myuser2, 0.0.1)" > myuser2.te;
echo "role myuser2_r;" >> myuser2.te;
echo "userdom_unpriv_user_template(myuser2)" >> myuser2.te;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myuser2.pp
sudo semanage user -a -L s0 -r s0-s0 -L "myuser1_r" -P user myuser1
sudo semanage user -a -L s0 -r s0-s0 -L "myuser2_r" -P user myuser2
sudo echo "system_r:local_login_t:s0 myuser1_r:myuser1_t:s0"
> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:remote_login_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:sshd_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:crond_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:xdm_t:s0 myuser1_r:myuser1_t:s0" >>
/etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_su_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_sudo_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:initrc_su_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_t:s0 myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:local_login_t:s0 myuser2_r:myuser2_t:s0"
> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:remote_login_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:sshd_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:crond_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:xdm_t:s0 myuser2_r:myuser2_t:s0" >>
/etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_su_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_sudo_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:initrc_su_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo useradd -Z myuser1 myuser1
sudo useradd -Z myuser2 myuser2
mkdir ~/myfile; cd ~/myfile;
echo "policy_module(myfile, 0.0.1)" > myfile.te;
echo "type myfile_t;" >> myfile.te;
echo "files_type(myfile_t)" >> myfile.te;
echo "require { type myuser1_t; }" >> myfile.te;
echo "allow myuser1_t myfile_t:file { getattr read write execute
execute_no_trans relabel_to relabel_from };" >> myfile.te;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myfile.pp
Now myuser1 can chcon files to/from type myfile_t which cannot be
accessed by myuser2. myuser1 can also read write execute files with type
myfile_t.
This example may have errors. Use it at your own risk. It is just an
example to give you an idea how you can achieve your goal.
hth , Dominick
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list