Re: strict policy

Todd Merritt wrote: >I'm getting started with selinux on FC 4. I'm using the strict policy, >but I'd like to restrict it further so that users can only execute a >handful of commands. I've tried replacing full_user_role(user_t) with >limit_user role, but the drew assertion errors when trying to load the >policy, and I tried removing restricting the can_exec in both full and >limited_user_role macros in macros/user_macros.te, but (at least from >looking at audit to allow) none of this seems to be getting me where I >want to be. What is the beast way to remove all access from user_t so >that I can add in the commands I want them to be able to run ? > > > First update to the latest rawhide strict policy. We have not been updating strict policy for FC4. Then you probably need to remove can_exec lines from base_user_macros. Problem is eliminating them might set you up with a solution where a user can not login. Are you doing this with a X Windows System, or a server?