allow guest_u to access screen
Dominick Grift
dominick.grift at gmail.com
Sun Apr 14 15:41:15 UTC 2013
On Sun, 2013-04-14 at 00:27 +0530, Lakshmipathi.G wrote:
> Hi -
>
> I'm trying to allow guest_u user to execute 'screen' command. When
> guest_u executes screen ,access gets denied,
> but I can't find any logs under /var/log/audit/audit.log . If SElinux
> disabled, guest_u can properly execute screen command.
>
> # grep screen /var/log/audit/audit.log | audit2allow -M screen
> Nothing to do
>
> How to provide screen command access to guest_u in a safe manner ?
> Such a policy open up any other security issues?
> Thanks for any pointers/help.
>
guest-t is supposed to be a minimal ssh login user and so by default the
use of screen is no supported.
To allow should be easy:
mkdir myguest; cd myguest
cat > myguest.te << EOF
policy_module(myguest, 1.0.0)
optional_policy(`
gen_require(` type guest_t; role guest_r; ')
screen_role_template(guest, guest_r, guest_t)
')
EOF
make -f /usr/share/selinux/devel/Makefile myguest.pp
sudo semodule -i myguest.pp
This will allow guest_t to run screen in the guest_screen_t domain.
You will probably want to relogin and run restorecon -R -v -F
~/.screenrc
More information about the selinux
mailing list