* How to implement the "if-then-else" logic in refpolicy interface?
@ 2010-03-03 6:37 ` TaurusHarry
0 siblings, 0 replies; 4+ messages in thread
From: TaurusHarry @ 2010-03-03 6:37 UTC (permalink / raw)
To: refpolicy-mailing-list, selinux-mailing-list
[-- Attachment #1: Type: text/plain, Size: 914 bytes --]
Hi SELinux experts,
Thanks a lot for taking a look at my question, how could I implement the bash "if-then-else" and "test" grammar in current refpolicy interface? For example, if I don't want the user_t to have the privilege to execute any kind of shell, what proper grammar should I use to implement something with the same logic as 'if ! test "X$1" = "Xuser_t"' in the corecomd_exec_shell interface:
interface(`corecmd_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
')
if ! test "X$1" = "Xuser_t"; then
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, shell_exec_t)
fi
')
Thank you very much!
Best regards,
Harry
_________________________________________________________________
想知道明天天气如何?必应告诉你!
http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2
[-- Attachment #2: Type: text/html, Size: 1379 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] How to implement the "if-then-else" logic in refpolicy interface?
@ 2010-03-03 6:37 ` TaurusHarry
0 siblings, 0 replies; 4+ messages in thread
From: TaurusHarry @ 2010-03-03 6:37 UTC (permalink / raw)
To: refpolicy
Hi SELinux experts,
Thanks a lot for taking a look at my question, how could I implement the bash "if-then-else" and "test" grammar in current refpolicy interface? For example, if I don't want the user_t to have the privilege to execute any kind of shell, what proper grammar should I use to implement something with the same logic as 'if ! test "X$1" = "Xuser_t"' in the corecomd_exec_shell interface:
interface(`corecmd_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
')
if ! test "X$1" = "Xuser_t"; then
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, shell_exec_t)
fi
')
Thank you very much!
Best regards,
Harry
_________________________________________________________________
????????????????
http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/bae4e34e/attachment.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [refpolicy] How to implement the "if-then-else" logic in refpolicy interface?
2010-03-03 6:37 ` [refpolicy] " TaurusHarry
@ 2010-03-03 15:14 ` Daniel J Walsh
-1 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2010-03-03 15:14 UTC (permalink / raw)
To: TaurusHarry; +Cc: refpolicy-mailing-list, selinux-mailing-list
[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]
On 03/03/2010 01:37 AM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thanks a lot for taking a look at my question, how could I implement
> the bash "if-then-else" and "test" grammar in current refpolicy
> interface? For example, if I don't want the user_t to have the
> privilege to execute any kind of shell, what proper grammar should I
> use to implement something with the same logic as 'if ! test "X$1" =
> "Xuser_t"' in the corecomd_exec_shell interface:
>
> interface(`corecmd_exec_shell',`
> gen_require(`
> type bin_t, shell_exec_t;
> ')
>
> if ! test "X$1" = "Xuser_t"; then
> list_dirs_pattern($1, bin_t, bin_t)
> read_lnk_files_pattern($1, bin_t, bin_t)
> can_exec($1, shell_exec_t)
> fi
> ')
>
> Thank you very much!
>
> Best regards,
> Harry
>
> ------------------------------------------------------------------------
> 搜索本应是彩色的,快来体验新一代搜索引擎-必应,精美图片每天换哦! 立即试
> 用! <http://cn.bing.com/?form=CRMADS%20>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy@oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
No that would not work. You need to define a new user type that a user
can login with. user_nobin_t, or something. Then you are going to need
to define all the rules necessary for this user to login and execute the
shell_exec_t and any other programs that you want them to run.
You write this in policy not in shell scripting.
[-- Attachment #2: Type: text/html, Size: 2462 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] How to implement the "if-then-else" logic in refpolicy interface?
@ 2010-03-03 15:14 ` Daniel J Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2010-03-03 15:14 UTC (permalink / raw)
To: refpolicy
On 03/03/2010 01:37 AM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thanks a lot for taking a look at my question, how could I implement
> the bash "if-then-else" and "test" grammar in current refpolicy
> interface? For example, if I don't want the user_t to have the
> privilege to execute any kind of shell, what proper grammar should I
> use to implement something with the same logic as 'if ! test "X$1" =
> "Xuser_t"' in the corecomd_exec_shell interface:
>
> interface(`corecmd_exec_shell',`
> gen_require(`
> type bin_t, shell_exec_t;
> ')
>
> if ! test "X$1" = "Xuser_t"; then
> list_dirs_pattern($1, bin_t, bin_t)
> read_lnk_files_pattern($1, bin_t, bin_t)
> can_exec($1, shell_exec_t)
> fi
> ')
>
> Thank you very much!
>
> Best regards,
> Harry
>
> ------------------------------------------------------------------------
> ????????,???????????-??,????????! ???
> ?? <http://cn.bing.com/?form=CRMADS%20>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
No that would not work. You need to define a new user type that a user
can login with. user_nobin_t, or something. Then you are going to need
to define all the rules necessary for this user to login and execute the
shell_exec_t and any other programs that you want them to run.
You write this in policy not in shell scripting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/8c7733d7/attachment.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-03-03 15:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 6:37 How to implement the "if-then-else" logic in refpolicy interface? TaurusHarry
2010-03-03 6:37 ` [refpolicy] " TaurusHarry
2010-03-03 15:14 ` Daniel J Walsh
2010-03-03 15:14 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.