Difference between users getting selinux status info between Fedora 18 and RHEL6
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 11 16:31:49 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/11/2013 05:49 AM, Dominick Grift wrote:
> Ive recently written a blog post about creating a restricted openssh login
> user with raw rules:
> https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
>
> It works really well in Fedora 18. I am able to prevent the user from
> getting any information about selinux. For example:
>
> [myrole at virt ~]$ id -Z id: --context (-Z) works only on an SELinux-enabled
> kernel [myrole at virt ~]$ sestatus SELinux status: disabled
> [myrole at virt ~]$ getenforce Disabled
>
> However this does not work in RHEL6 like it does in Fedora 18
>
> In Fedora 18 its probably blocked by disallowing the user to get attributes
> of its own process (?)
>
> However it seems that in RHEL6 it gets much of this information by reading
> the user process state files instead?
>
> Is some difference in behaviour in libselinux or some other selinux lib
> responsible for this?
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I think there were changes to libselinux to interpret a read only /selinux
into SELinux disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEZHPUACgkQrlYvE4MpobOqewCgzHVVvSmBgrgdui6JlDU6f+9b
LScAoL7gxJuxeFQziWuITcJNvc+XBmie
=UeZN
-----END PGP SIGNATURE-----
More information about the selinux
mailing list