Consider the following scenario. I've a ro file system mounted at /system and I can't remount it rw at all. There is a file /system/bin/xyz with context u:r:bin_t. Naturally I cannot change the context as file system is ro. I have a program running with context my_prog_t which needs to execute /system/bin/xyz. Now I can allow my_prog_t to execute bin_t but I don't want it to execute other bin_t files as well. In apparmor this can be done with file path. Can this situation be handled with selinux without resorting to apparmor?
Asked
Active
Viewed 123 times
0
flappybirdy
- 31
- 4
-
Have you tried `audit2allow` ? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux – Artem S. Tashkinov Sep 05 '21 at 13:54
-
It 'suggests' allow my_prog_t bin_t: file {open read getatyr execute stat}. Which I don't want as said in question. – flappybirdy Sep 05 '21 at 14:30
-
Check this answer https://unix.stackexchange.com/questions/309122/how-to-create-a-custom-selinux-label – Artem S. Tashkinov Sep 05 '21 at 14:44
-
I the volume in which the xyz program is, is readonly. How am I supposed to change context there. Also I know how to make contexts. – flappybirdy Sep 05 '21 at 15:25