Displaying 2 results from an estimated 2 matches for "security_admin_t".
2015 Jan 23
2
How to prevent root from managing/disabling SELinux
...n't see how to prevent this. There are too many
access points (not just the CLI tools but the pp files and the /sys tree
and I don't know what else).
I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
has security_t so maybe a policy that deny's everyone except a new
security_admin_t permission to modify those files might work?
Has anyone actually attempted this?
--
rgds
Stephen
2015 Jan 26
0
How to prevent root from managing/disabling SELinux
...is. There are too many
> access points (not just the CLI tools but the pp files and the /sys tree
> and I don't know what else).
>
> I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
> has security_t so maybe a policy that deny's everyone except a new
> security_admin_t permission to modify those files might work?
>
> Has anyone actually attempted this?
>
You would need to disable the unconfined.pp module and the
unconfineduser.pp module
and run all of your users as confined user including the admin user as
sysadm_t.
You could also set the secure_ boolea...