Difference between users getting selinux status info between Fedora 18 and RHEL6
Dominick Grift
dominick.grift at gmail.com
Mon Feb 11 10:49:46 UTC 2013
Ive recently written a blog post about creating a restricted openssh
login user with raw rules:
https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
It works really well in Fedora 18. I am able to prevent the user from
getting any information about selinux. For example:
[myrole at virt ~]$ id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
[myrole at virt ~]$ sestatus
SELinux status: disabled
[myrole at virt ~]$ getenforce
Disabled
However this does not work in RHEL6 like it does in Fedora 18
In Fedora 18 its probably blocked by disallowing the user to get
attributes of its own process (?)
However it seems that in RHEL6 it gets much of this information by
reading the user process state files instead?
Is some difference in behaviour in libselinux or some other selinux lib
responsible for this?
More information about the selinux
mailing list