block find / perl / curl to user ?
Dominick Grift
dominick.grift at gmail.com
Tue Nov 6 09:50:56 UTC 2012
On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
> Hello,
> I want to restrict a user, I would forbid the use of system command
> such as "find, perl".
>
> In all documentation I've found is always to allow commands, never to
> prohibit a user to do something.
>
Access is denied by default, if you want to allow something then you
need to specify that.
> it's can be done with Selinux ? or I have to "play" with the rights of
> commands ?
It can be done , sure (whether i makes sense to do it is another
question)
I do not know what you mean with "I have to "play" with the rights of
commands ?"
Basically what you would need to do with create private types, make the
types core command executable file type, label the executable files
accordingly and then specify who can execute them
I am not sure what approach you are using to create your confined user
but if you are using shipped selinux macros, as is, to base your new
confined user policy off of then you are accepting some of the
properties of these macros. One of these properties may be that it
allows already your user to execute find or perl.
So to create a confined user that is customized in a way that differs
from what is facilitated by the distro macros you would need to work
around those few "limitations" of the provided macros or create a new
user domain from scratch.
Basically you are providing us with too little details about your
approach for me to be able to give a more specific answer.
>
> Thanks
> Jérémy P
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list