Need help restricting root access to a file or directory.

Dominick Grift domg472 at gmail.com
Wed Feb 9 21:16:18 UTC 2011


On Wed, Feb 09, 2011 at 04:00:23PM -0500, DJ Goldfingerz wrote:
>  Hello all,
> 
> let me start by saying I'm new to selinux and writing policies. Let me
> explain what I'm trying to do.
> 
> I've setup 2 copies of /bin/bash for user1 and user2:
> 
> -rwxr-xr-x 1 root root 801512 Oct 21  2008 /bin/bash
> -r-sr-s---+ 1 root root 801512 Oct 21  2008 /bin/bash1
> -r-sr-s---+ 1 root root 801512 Oct 21  2008 /bin/bash2
> 
> Both bash1 and bash2 have acls to restrict their access:
> 
> # file: bin/bash1
> # owner: root
> # group: root
> user::r-x
> group::r-x
> group:user1:r-x
> mask::r-x
> other::---
> 
> # file: bin/bash2
> # owner: root
> # group: root
> user::r-x
> group::r-x
> group:user2:r-x
> mask::r-x
> other::---
> 
> Now what I was hoping to do was to use SELinux to limit which files and
> folders user1 and user2 could read, write, execute and delete. In this
> example I'd like to write a simple policy that would limit read access to
> user1 on folder /mydir/test but user2 could read and write to any files in
> the folder.
> 
> My ultimate goal is to use SELinux for doing RBAC (role base access
> control). I'm using this example as an easy starting point for me to learn
> how to use SELinux to control user access when those users have root access.
> 
> Thank you.

You would create new user domain and roles and create special types for each directory i suppose.

I recently create a series of screencasts showing some of the neat things you can achieve with rbac.
These screencast may or may not enlighten and inspire you:

1. part one -- restricted login users/ restricted roles (confining root): http://www.youtube.com/watch?v=sBI50O84NLo
2. part two -- restricted roles ( secondary role for unprivileged users (use sudo as newrole)): http://www.youtube.com/watch?v=ATTJ5xUKH1E
3. part three -- other stuff: http://www.youtube.com/watch?v=ATTJ5xUKH1E

there are more screen casts there.

Hopefully those will inspire you and get you started.
If not, then maybe i will be able to answer any specific questions that you may have.
 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110209/6060cee8/attachment.bin 


More information about the selinux mailing list