Previous Topic: Wildcards in FILE Resource NamesNext Topic: Preventing File Access

Endpoint Administration Guide for UNIXProtecting Files and ProgramsRestricting Access to Files and DirectoriesRestricting File Access

Restricting File Access

To restrict a file from access by the superuser in selang, use a longer version of the newres command. For example, to prevent the file /tmp/binary.bkup from being accessed by the superuser, as well as any other user except the user myuser, you can use the following selang command:

newres FILE /tmp/binary.bkup owner(myuser) defaccess(N)

This command does the following:

  1. Defines /tmp/binary.bkup as a protected file.
  2. Sets the user myuser as the owner of the file, granting myuser access to the file.
  3. Sets the default access of the file to NONE, preventing any other user from accessing the file. To permit other users access to the file, you must explicitly define access rules for that file.

Important! If you invoke the selang command under root authority and then define FILE records without explicitly specifying another user as their owner, root becomes the owner of those files. As the owner, root (or any user who logs in as root) has complete and free access to the files.

Note: You can set the token use_unix_file_owner in the seos.ini file to yes. This permits regular UNIX users to define access rules for the files they own.