scp only using SELinux
Eamon Walsh
ewalsh at tycho.nsa.gov
Mon May 4 21:25:50 UTC 2009
Vadym Chepkov wrote:
> Hi,
>
> I wonder if it is possible to achieve "scp only" capability for a user just by using SELinux? Basically I want a user to be able to only upload/download files from his home via scp/sftp and nothing else. Thank you.
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
As a first effort you could place the scp and sftp binaries into a
separate domain, create a role that can only enter that domain, and
place the user in that role. However, if shell access is required
(including whatever ssh does at login time) the policy could get more
complicated. You could also use the networking controls to only allow
outgoing connections on the ports for scp/sftp/ssh.
But in general yes SELinux is well-suited to this type of task.
--
Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list