locking down a secure-file-area
Security News
wakesec at gmail.com
Thu Jun 16 21:09:22 UTC 2005
OK, what I'm trying to do now is to lock down a particular directory,
so that only people in a certain role may use the files in that
directory. The best way I can see to do this is to have a user login
and the "newrole" their way into the new secure-area domain.
Here's what I have done thus far...
1) chcon -t securefiles_t /home/testuser/securefiles
2) I edited the policy/users file to allow certain users into a
"secureuser_r" role.
3) I edited policy/rbac to "allow user_r secureuser_r"
I created a file called policy/domains/misc/securefiles.te with the following:
<start .te file>
type secureuser_t, domain;
type securefiles_t, file_type;
role secureuser_r types secureuser_t;
allow secureuser_t securefiles_t:dir *;
allow secureuser_t securefiles:file *;
domain_auto_trans(user_t, newrole_exec_t, secureuser_t)
role_tty_type_change(user, secureuser)
allow newrole_t secureuser_t:process transition;
</end .te file>
I am able to comipile and load the policy, but when I login as
testuser and attempt to "newrole -r secureuser_r -t secureuser_t" my
terminal screen closes instantly.
My error log:
avc: denied {transition} for pid=4044 exe=/usr/bin/newrole
path=bin/bash ... scontext=testuser:user_r:newrole_t
tcontext=testuser:secureuser_r:secureuser_t
tclass=process
Any thoughts?
More information about the fedora-selinux-list
mailing list