Hi, Is there a way I can permit a user confined by selinux to run rpm but the scriptlets to be executed in user's domain type instead of rpm_script_t ?
I have a use case where I need to permit some users to install rpms but in same time I need to confine them so would not interfere with files that define network interfaces/kernel and so on.
Thanks
I learned to do this using an example from Dan's blog. The comments happen to describe the exact scenario you're describing.
http://danwalsh.livejournal.com/66587.html?thread=397339#t397339
On Wed, Feb 18, 2015 at 2:53 AM, Cretu Adrian adycrt@gmail.com wrote:
Hi, Is there a way I can permit a user confined by selinux to run rpm but the scriptlets to be executed in user's domain type instead of rpm_script_t ?
I have a use case where I need to permit some users to install rpms but in same time I need to confine them so would not interfere with files that define network interfaces/kernel and so on.
Thanks
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 02/18/2015 03:53 AM, Cretu Adrian wrote:
Hi, Is there a way I can permit a user confined by selinux to run rpm but the scriptlets to be executed in user's domain type instead of rpm_script_t ?
I have a use case where I need to permit some users to install rpms but in same time I need to confine them so would not interfere with files that define network interfaces/kernel and so on.
I think you would need to define a domain transition from the user's domain type (let's say user_t) to a new domain (let's say user_rpm_t) upon executing rpm_exec_t so that rpm will run in that domain, and then define a domain transition back from user_rpm_t to user_t upon executing shell_exec_t so that rpm scriptlets will run in user_t. Or you could define a user_rpm_script_t domain for that purpose. If you define a domain transition, it will use that instead of using rpm_script_t. But you not only need rpm scriptlets to run in a different domain; you also need rpm itself to run in a different domain if you want to prevent the user from overwriting arbitrary files.
selinux@lists.fedoraproject.org