Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access.
Now we like to allow: 1) Only selected guest_u users has "guest_exec_content->on" permission. (ex: user1,user3 has exec permission, but user2 don't have permission) 2) for users in (1) allow them to execute specific binary(~/abc.bin) but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
Is that possible to achieve? any suggestion how to create such setup? thanks.
---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access.
Now we like to allow:
- Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have permission)
No this is not possible, from SELinux POV you can map more UNIX users on one SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users as guest_u so for SELinux it's one user with same permissions. If you allow boolean (ex: guest_exec_content) it will be effective for all users mapped as guest_u.
- for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
This is same issue like the first one. You need to have different context for user1,user3 then for user2 and have specific label for binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup? thanks.
You need to have 2 different SELinux users to be able create following setup.
Thanks, Lukas.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi Lukas,
Sorry about the delay in response.
Okay, will check about adding labels. I'm not sure whether categories or labels which is easier to implement, will explore further. thanks.
Thanks all for the help. ---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec lvrabec@redhat.com wrote:
On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access.
Now we like to allow:
- Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have permission)
No this is not possible, from SELinux POV you can map more UNIX users on one SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users as guest_u so for SELinux it's one user with same permissions. If you allow boolean (ex: guest_exec_content) it will be effective for all users mapped as guest_u.
- for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
This is same issue like the first one. You need to have different context for user1,user3 then for user2 and have specific label for binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup? thanks.
You need to have 2 different SELinux users to be able create following setup.
Thanks, Lukas.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On 05/19/2017 04:56 PM, Lakshmipathi.G wrote:
Hi Lukas,
Sorry about the delay in response.
Okay, will check about adding labels. I'm not sure whether categories or labels which is easier to implement, will explore further. thanks.
You need to have 2 SELinux users here.
Lukas.
Thanks all for the help.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec lvrabec@redhat.com wrote:
On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access.
Now we like to allow:
- Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have permission)
No this is not possible, from SELinux POV you can map more UNIX users on one SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users as guest_u so for SELinux it's one user with same permissions. If you allow boolean (ex: guest_exec_content) it will be effective for all users mapped as guest_u.
- for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
This is same issue like the first one. You need to have different context for user1,user3 then for user2 and have specific label for binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup? thanks.
You need to have 2 different SELinux users to be able create following setup.
Thanks, Lukas.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Thanks for the details.
---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On Mon, May 22, 2017 at 5:45 PM, Lukas Vrabec lvrabec@redhat.com wrote:
On 05/19/2017 04:56 PM, Lakshmipathi.G wrote:
Hi Lukas,
Sorry about the delay in response.
Okay, will check about adding labels. I'm not sure whether categories or labels which is easier to implement, will explore further. thanks.
You need to have 2 SELinux users here.
Lukas.
Thanks all for the help.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On Wed, May 10, 2017 at 4:58 PM, Lukas Vrabec lvrabec@redhat.com wrote:
On 05/06/2017 09:51 AM, Lakshmipathi.G wrote:
Hi, I need some advise/suggestion on below setup. We created 'guest_u' accounts with shell access.
Now we like to allow:
- Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have permission)
No this is not possible, from SELinux POV you can map more UNIX users on one SELinux user. (ex: user1,user2,user3 -> guest_u) SELinux will se these users as guest_u so for SELinux it's one user with same permissions. If you allow boolean (ex: guest_exec_content) it will be effective for all users mapped as guest_u.
- for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't other binary files)
This is same issue like the first one. You need to have different context for user1,user3 then for user2 and have specific label for binary(abc_exec_t) and then write appropriate rules for guest_u.
Is that possible to achieve? any suggestion how to create such setup? thanks.
You need to have 2 different SELinux users to be able create following setup.
Thanks, Lukas.
Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc.
selinux@lists.fedoraproject.org