Good afternoon! How to we can any process permission to any specific user ? As processes run with the privileges of user under which they are running....
do we have any policy module for that?
thanks
*Engr. Naina Emmanuel* *Cryptography Certified* *Linux Essential Certified (LEPDC)* *Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila*
*Information Security, CS Department, CIIT Islamabad*
On 11/14/2016 08:04 AM, Naina Emmanuel wrote:
Good afternoon! How to we can any process permission to any specific user ? As processes run with the privileges of user under which they are running....
do we have any policy module for that?
Good morning,
For example you have mapped Linux user (user) to SELinux user (staff_u).
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * user staff_u s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
If you execute some binary and there will be no SELinux transition, process will run in *staff_t* user domain.
Exmaple:
$ ps -efZ | grep firefox staff_u:staff_r:staff_t:s0:c0.c1023 user 2319 1 22 09:32 tty2 00:14:38 /usr/lib64/firefox/firefox
So, if you want change permissions for userdomains, you need to userdomain modules. In refpolicy or selinux-policy fedora repo you can find userdomain here: https://github.com/fedora-selinux/selinux-policy/tree/rawhide-base/policy/mo...
https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/rol...
Lukas.
thanks
/Engr. Naina Emmanuel/* *Cryptography Certified* *Linux Essential Certified (LEPDC)**
*Cisco Certified Network Associate (CCNA)* *Computer Engineering Department, UET Taxila
*Information Security, CS Department, CIIT Islamabad
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org