On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
Hello,
I want to restrict a user, I would forbid the use of system command
such as "find, perl".
In all documentation I've found is always to allow commands, never to
prohibit a user to do something.
Access is denied by default, if you want to allow something then you
need to specify that.
it's can be done with Selinux ? or I have to "play"
with the rights of
commands ?
It can be done , sure (whether i makes sense to do it is another
question)
I do not know what you mean with "I have to "play" with the rights of
commands ?"
Basically what you would need to do with create private types, make the
types core command executable file type, label the executable files
accordingly and then specify who can execute them
I am not sure what approach you are using to create your confined user
but if you are using shipped selinux macros, as is, to base your new
confined user policy off of then you are accepting some of the
properties of these macros. One of these properties may be that it
allows already your user to execute find or perl.
So to create a confined user that is customized in a way that differs
from what is facilitated by the distro macros you would need to work
around those few "limitations" of the provided macros or create a new
user domain from scratch.
Basically you are providing us with too little details about your
approach for me to be able to give a more specific answer.
Thanks
Jérémy P
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux