creating a policy for making files read only

All the general questions related to AVC / SYSCALL / Policy / Boolean

Moderator: xeont

creating a policy for making files read only

Postby zarathos » Tue Oct 28, 2014 5:57 pm

I would like to create a local customisation policy that will prevent the linux user(say user1) to write to files in directory /home/user1/Documents using gedit .
THe files in this directory have the type user_home_t.
gedit in /bin has type bin_t


I have tried the following policy(named test1.te):
"

module test 1.0;
require {
type user_home_t;
type bin_t;
class file {write read getattr execute};
}
neverallow bin_t user_home_t:file {write read getattr execute};
"
i then run the following commands as root in bash:

#checkmodule -M -m -o test1.mod test1.te
#semodule_package -o test1.pp -m test1.mod
# semodule -i test1.pp

But even then when i run gedit on any file i create in the Documents directory , i am able to read and modify its contents...
zarathos
 
Posts: 1
Joined: Tue Oct 28, 2014 4:29 pm

Return to General Questions Related to AVC / SYSCALL / Policy / Boolean

Who is online

Users browsing this forum: No registered users and 1 guest