about selinux_validate_context
Daniel J Walsh
dwalsh at redhat.com
Wed May 5 14:35:30 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you are trying to setup a least priv user look at roles/guest.te and
xguest.te.
They use userdom_restricted_user_template and
userdom_restricted_xwindows_user_template
Which are considered the least privs required for a login user.
user_t/staff_t are full users. Meaning they should be allowed to do
everything a user on a non SELinux system is without any Capabilities.
If they require to execute an application that requires capabilities, a
transition rule is defined.
userdom_restricted_user_template gives you a user which can not use the
network, any capabilities, no exec in homedir. No X.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvhgjIACgkQrlYvE4MpobOFYACgvkn+rUDFJF0bHi8khPzBARoD
KI4Amwc2kIXZV0hjQ2XepJISsEEyjQq4
=+kMy
-----END PGP SIGNATURE-----
More information about the selinux
mailing list