Need help restricting root access to a file or directory.

DJ Goldfingerz goldfingerz at gmail.com
Wed Feb 9 21:00:23 UTC 2011


 Hello all,

let me start by saying I'm new to selinux and writing policies. Let me
explain what I'm trying to do.

I've setup 2 copies of /bin/bash for user1 and user2:

-rwxr-xr-x 1 root root 801512 Oct 21  2008 /bin/bash
-r-sr-s---+ 1 root root 801512 Oct 21  2008 /bin/bash1
-r-sr-s---+ 1 root root 801512 Oct 21  2008 /bin/bash2

Both bash1 and bash2 have acls to restrict their access:

# file: bin/bash1
# owner: root
# group: root
user::r-x
group::r-x
group:user1:r-x
mask::r-x
other::---

# file: bin/bash2
# owner: root
# group: root
user::r-x
group::r-x
group:user2:r-x
mask::r-x
other::---

Now what I was hoping to do was to use SELinux to limit which files and
folders user1 and user2 could read, write, execute and delete. In this
example I'd like to write a simple policy that would limit read access to
user1 on folder /mydir/test but user2 could read and write to any files in
the folder.

My ultimate goal is to use SELinux for doing RBAC (role base access
control). I'm using this example as an easy starting point for me to learn
how to use SELinux to control user access when those users have root access.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110209/243379cf/attachment.html 


More information about the selinux mailing list