Ask Your Question
1

selinux policy module for blocking access to sys directory

asked 2014-01-14 21:37:16 -0600

eliascaplan465 gravatar image

updated 2014-04-14 15:16:28 -0600

mether gravatar image

Here is my policy written to block access to the sys directory:

policy_module(localpolicy, 1.0)

gen_require(` type staff_t; type sysfs_t; ')

allow staff_t sysfs_t:dir lock;

-- But when I load the policy staff_t still has access and can search through the sys directory. What am I doing wrong?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-02-04 17:15:21 -0600

domg gravatar image

updated 2014-02-04 17:21:04 -0600

Yes because that is not what "lock" means in this context.

When it comes to SELinux you need to be aware that it is a deny by default system.

So everything that is allowed has a rule. Everything else is denied.

This is also why it in practice it is a little harder to "shave" off permissions. Because it usually means you have to remove existing rules.

Then again, there is no need to "change" existing domains, you can just add your own domain that it tailored to your requirements

I have literally a shedload of videos with all kinds of SELinux related stuff on my youtube channel. Hundreds of hours or video tutorials/examples.

This together with the book "SELinux by example", the Wiki at www.selinuxproject.org , and trial and error, should get you started:

hundreds of SELinux video tutorials

edit flag offensive delete link more

Question Tools

Stats

Asked: 2014-01-14 21:37:16 -0600

Seen: 159 times

Last updated: Feb 04 '14