[Freeipa-users] Can we block usb access to users
Rob Crittenden
rcritten at redhat.com
Mon Jun 17 15:48:46 UTC 2013
RK RK wrote:
> Hi all,
>
> I am beginner to IPA. Just now I configured IPA in my test environment.
> We just want to deploy it in production within couple of weeks after
> understanding most things in IPA.
>
> One thing I want to know is can we block the access to USB storage
> devices like(pendrive, usb-CDROM etc.,) for normal users who are logging
> into client machines in the IPA domain.
>
> If yes please tell me how? or else please suggest any other solution to
> achieve this.
Just throwing this out as an idea, but IPA supports assigning a
different SELinux context per-user, so in theory if you had a context
that didn't allow access to USB you could use that. By default, users
are unconfined_u when logging in.
This might require tweaking SELinux policy and shipping that around to
all the hosts, something that IPA doesn't help with right now (though
something like puppet might).
rob
More information about the Freeipa-users
mailing list