To restrict a file from access by the superuser in selang, use a longer version of the newres command. For example, to prevent the file /tmp/binary.bkup from being accessed by the superuser, as well as any other user except the user myuser, you can use the following selang command:
newres FILE /tmp/binary.bkup owner(myuser) defaccess(N)
This command does the following:
Important! If you invoke the selang command under root authority and then define FILE records without explicitly specifying another user as their owner, root becomes the owner of those files. As the owner, root (or any user who logs in as root) has complete and free access to the files.
Note: You can set the token use_unix_file_owner in the seos.ini file to yes. This permits regular UNIX users to define access rules for the files they own.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|