Ask Your Question

selinux policy module for blocking access to sys directory

asked 2014-01-14 21:37:16 -0500

eliascaplan465 gravatar image

updated 2014-04-14 15:16:28 -0500

mether gravatar image

Here is my policy written to block access to the sys directory:

policy_module(localpolicy, 1.0)

gen_require(` type staff_t; type sysfs_t; ')

allow staff_t sysfs_t:dir lock;

-- But when I load the policy staff_t still has access and can search through the sys directory. What am I doing wrong?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-02-04 17:15:21 -0500

domg gravatar image

updated 2014-02-04 17:21:04 -0500

Yes because that is not what "lock" means in this context.

When it comes to SELinux you need to be aware that it is a deny by default system.

So everything that is allowed has a rule. Everything else is denied.

This is also why it in practice it is a little harder to "shave" off permissions. Because it usually means you have to remove existing rules.

Then again, there is no need to "change" existing domains, you can just add your own domain that it tailored to your requirements

I have literally a shedload of videos with all kinds of SELinux related stuff on my youtube channel. Hundreds of hours or video tutorials/examples.

This together with the book "SELinux by example", the Wiki at , and trial and error, should get you started:

hundreds of SELinux video tutorials

edit flag offensive delete link more

Question Tools


Asked: 2014-01-14 21:37:16 -0500

Seen: 166 times

Last updated: Feb 04 '14