Writing policy for confined SELinux users
admin on July 3rd, 2008 | File Under Linux ariticles, Recommended -Last month, I wrote about confining the user with SELinux. I explained that–as of Fedora 9–SELinux supports the concept of the confined user and comes with 5 confined user types defined.
- guest_t – Terminal login, nosetuid, nonetwork, noxwindows, noexec in homedir
- xguest_t – X Windows Login and terminal login, nosetuid, nonetwork, noexec in homedir
- user_t - X Windows Login and terminal login, nosetuid, noexec in homedir
- staff_t - X Windows Login and terminal login, nosetuid except sudo
- unconfined_t – Full login, able to run with almost all privs as with SELinux disabled.
These confined users are a great starting point, but what if you want to create a confined user with different privileges?
I want to create a limited privilege terminal login user with the ability to send mail and read/write files in the /maildir directory.
My son Timothy uses his confined xguest account, but is not happy because he wants to communicate with his friends using AOL.
Fedora 9 has the solution. The SELinux management environment (system-config-selinux) has been updated and includes the ability to build customized SELinux policy modules for the confinement of users.
Remember, this tool is just a wizard–it helps create a framework for building policy. You can then use tools like audit2allow or the package eclipse-slide for further editing of the policy. Thiswill give you a good head start.
In the toolbar panel select:
System->Administration->SELinux Management
This starts system-config-selinux.
Select Policy Module and then Select the New button.
No Comments Tags: audit2allow, Fedora, selinux