From: Daniel J Walsh <dwalsh@redhat.com>
To: TaurusHarry <harrytaurus2002@hotmail.com>
Cc: refpolicy-mailing-list <refpolicy@oss1.tresys.com>,
selinux-mailing-list <selinux@tycho.nsa.gov>
Subject: Re: [refpolicy] How to implement the "if-then-else" logic in refpolicy interface?
Date: Wed, 03 Mar 2010 10:14:20 -0500 [thread overview]
Message-ID: <4B8E7CCC.8040407@redhat.com> (raw)
In-Reply-To: <BAY111-W68D4C9E39582E71A1BA31AB3A0@phx.gbl>
[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]
On 03/03/2010 01:37 AM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thanks a lot for taking a look at my question, how could I implement
> the bash "if-then-else" and "test" grammar in current refpolicy
> interface? For example, if I don't want the user_t to have the
> privilege to execute any kind of shell, what proper grammar should I
> use to implement something with the same logic as 'if ! test "X$1" =
> "Xuser_t"' in the corecomd_exec_shell interface:
>
> interface(`corecmd_exec_shell',`
> gen_require(`
> type bin_t, shell_exec_t;
> ')
>
> if ! test "X$1" = "Xuser_t"; then
> list_dirs_pattern($1, bin_t, bin_t)
> read_lnk_files_pattern($1, bin_t, bin_t)
> can_exec($1, shell_exec_t)
> fi
> ')
>
> Thank you very much!
>
> Best regards,
> Harry
>
> ------------------------------------------------------------------------
> 搜索本应是彩色的,快来体验新一代搜索引擎-必应,精美图片每天换哦! 立即试
> 用! <http://cn.bing.com/?form=CRMADS%20>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy@oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
No that would not work. You need to define a new user type that a user
can login with. user_nobin_t, or something. Then you are going to need
to define all the rules necessary for this user to login and execute the
shell_exec_t and any other programs that you want them to run.
You write this in policy not in shell scripting.
[-- Attachment #2: Type: text/html, Size: 2462 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to implement the "if-then-else" logic in refpolicy interface?
Date: Wed, 03 Mar 2010 10:14:20 -0500 [thread overview]
Message-ID: <4B8E7CCC.8040407@redhat.com> (raw)
In-Reply-To: <BAY111-W68D4C9E39582E71A1BA31AB3A0@phx.gbl>
On 03/03/2010 01:37 AM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thanks a lot for taking a look at my question, how could I implement
> the bash "if-then-else" and "test" grammar in current refpolicy
> interface? For example, if I don't want the user_t to have the
> privilege to execute any kind of shell, what proper grammar should I
> use to implement something with the same logic as 'if ! test "X$1" =
> "Xuser_t"' in the corecomd_exec_shell interface:
>
> interface(`corecmd_exec_shell',`
> gen_require(`
> type bin_t, shell_exec_t;
> ')
>
> if ! test "X$1" = "Xuser_t"; then
> list_dirs_pattern($1, bin_t, bin_t)
> read_lnk_files_pattern($1, bin_t, bin_t)
> can_exec($1, shell_exec_t)
> fi
> ')
>
> Thank you very much!
>
> Best regards,
> Harry
>
> ------------------------------------------------------------------------
> ????????,???????????-??,????????! ???
> ?? <http://cn.bing.com/?form=CRMADS%20>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
No that would not work. You need to define a new user type that a user
can login with. user_nobin_t, or something. Then you are going to need
to define all the rules necessary for this user to login and execute the
shell_exec_t and any other programs that you want them to run.
You write this in policy not in shell scripting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/8c7733d7/attachment.html
next prev parent reply other threads:[~2010-03-03 15:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-03 6:37 How to implement the "if-then-else" logic in refpolicy interface? TaurusHarry
2010-03-03 6:37 ` [refpolicy] " TaurusHarry
2010-03-03 15:14 ` Daniel J Walsh [this message]
2010-03-03 15:14 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8E7CCC.8040407@redhat.com \
--to=dwalsh@redhat.com \
--cc=harrytaurus2002@hotmail.com \
--cc=refpolicy@oss1.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.