Need help restricting root access to a file or directory.
Dominick Grift
domg472 at gmail.com
Wed Feb 9 21:16:18 UTC 2011
On Wed, Feb 09, 2011 at 04:00:23PM -0500, DJ Goldfingerz wrote:
> Hello all,
>
> let me start by saying I'm new to selinux and writing policies. Let me
> explain what I'm trying to do.
>
> I've setup 2 copies of /bin/bash for user1 and user2:
>
> -rwxr-xr-x 1 root root 801512 Oct 21 2008 /bin/bash
> -r-sr-s---+ 1 root root 801512 Oct 21 2008 /bin/bash1
> -r-sr-s---+ 1 root root 801512 Oct 21 2008 /bin/bash2
>
> Both bash1 and bash2 have acls to restrict their access:
>
> # file: bin/bash1
> # owner: root
> # group: root
> user::r-x
> group::r-x
> group:user1:r-x
> mask::r-x
> other::---
>
> # file: bin/bash2
> # owner: root
> # group: root
> user::r-x
> group::r-x
> group:user2:r-x
> mask::r-x
> other::---
>
> Now what I was hoping to do was to use SELinux to limit which files and
> folders user1 and user2 could read, write, execute and delete. In this
> example I'd like to write a simple policy that would limit read access to
> user1 on folder /mydir/test but user2 could read and write to any files in
> the folder.
>
> My ultimate goal is to use SELinux for doing RBAC (role base access
> control). I'm using this example as an easy starting point for me to learn
> how to use SELinux to control user access when those users have root access.
>
> Thank you.
You would create new user domain and roles and create special types for each directory i suppose.
I recently create a series of screencasts showing some of the neat things you can achieve with rbac.
These screencast may or may not enlighten and inspire you:
1. part one -- restricted login users/ restricted roles (confining root): http://www.youtube.com/watch?v=sBI50O84NLo
2. part two -- restricted roles ( secondary role for unprivileged users (use sudo as newrole)): http://www.youtube.com/watch?v=ATTJ5xUKH1E
3. part three -- other stuff: http://www.youtube.com/watch?v=ATTJ5xUKH1E
there are more screen casts there.
Hopefully those will inspire you and get you started.
If not, then maybe i will be able to answer any specific questions that you may have.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110209/6060cee8/attachment.bin
More information about the selinux
mailing list