denying group of users from r/w/x files

Dominick Grift domg472 at gmail.com
Tue Feb 10 11:00:58 UTC 2009 

On Mon, 2009-02-09 at 22:59 -0600, Ali Hamad wrote:
> Hello :

> remove all the Selinux rules ( targeted ) since I really do not need 
> them. I only need selinux to do only the following :

If you remove all SELinux rules then all access will be denied. The
system with not be able to operate then i think.

You can however, if required, remove the unconfined module. But in my
view that is not required. Just don't map any users to that unconfined
domain. 

>     a)  create a rule for file that can not be accessed from known group 
> of users. i.e group A can not read/write/execute this file.  However, 
> the file permission is 666 and that file permission can not be changed.
>     b)  directory that has permission of 777. However, group A of users 
> can not write/read/execute  it.

You could create a user domain for each or one of the two group(s) of
users, create a files type and only give the user domain that needs to
be able to access files with that type permission to read/write/execute.

mkdir ~/myuser1; cd ~/myuser1;
echo "policy_module(myuser1, 0.0.1)" > myuser1.te;
echo "role myuser1_r;" >> myuser1.te;
echo "userdom_unpriv_user_template(myuser1)" >> myuser1.te;

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myuser1.pp

mkdir ~/myuser2; cd ~/myuser2;
echo "policy_module(myuser2, 0.0.1)" > myuser2.te;
echo "role myuser2_r;" >> myuser2.te;
echo "userdom_unpriv_user_template(myuser2)" >> myuser2.te;

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myuser2.pp

sudo semanage user -a -L s0 -r s0-s0 -L "myuser1_r" -P user myuser1
sudo semanage user -a -L s0 -r s0-s0 -L "myuser2_r" -P user myuser2


sudo echo "system_r:local_login_t:s0 myuser1_r:myuser1_t:s0"
> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:remote_login_t:s0    myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:sshd_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:crond_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:xdm_t:s0		myuser1_r:myuser1_t:s0" >> 
/etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_su_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_sudo_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "system_r:initrc_su_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1
sudo echo "myuser1_r:myuser1_t:s0		myuser1_r:myuser1_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser1

sudo echo "system_r:local_login_t:s0 myuser2_r:myuser2_t:s0"
> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:remote_login_t:s0    myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:sshd_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:crond_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:xdm_t:s0 myuser2_r:myuser2_t:s0" >> 
/etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_su_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_sudo_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "system_r:initrc_su_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2
sudo echo "myuser2_r:myuser2_t:s0 myuser2_r:myuser2_t:s0"
>> /etc/selinux/targeted/contexts/users/myuser2

sudo useradd -Z myuser1 myuser1
sudo useradd -Z myuser2 myuser2

mkdir ~/myfile; cd ~/myfile;
echo "policy_module(myfile, 0.0.1)" > myfile.te;
echo "type myfile_t;" >> myfile.te;
echo "files_type(myfile_t)" >> myfile.te;
echo "require { type myuser1_t; }" >> myfile.te;
echo "allow myuser1_t myfile_t:file { getattr read write execute
execute_no_trans relabel_to relabel_from };" >> myfile.te;

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myfile.pp

Now myuser1 can chcon files to/from type myfile_t which cannot be
accessed by myuser2. myuser1 can also read write execute files with type
myfile_t.

This example may have errors. Use it at your own risk. It is just an
example to give you an idea how you can achieve your goal.

hth , Dominick
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list