On Tue, 2012-03-27 at 17:43 -0400, Konstantin Ryabitsev wrote:
Let me verify this in my VM, though, before I'm forced to insert my foot into my mouth. :)
Yes, it works just as I thought. If you want to test it out:
testguest.te: -------------------------------- policy_module(testguest, 1.0.0) role testguest_r; irc_role(testguest_r, testguest_t) userdom_restricted_user_template(testguest) gen_user(testguest_u, user, testguest_r, s0, s0) --------------------------------
make -f make -f /usr/share/selinux/devel/Makefile testguest.pp semodule -i testguest.pp cd /etc/selinux/targeted/contexts/users cat guest_u | sed 's/guest_u/testguest_u/g' > testguest_u useradd bob passwd bob usermod -Z testguest_u bob
As a result:
[bob@moppet ~]$ whoami bob [bob@moppet ~]$ id -Z testguest_u:testguest_r:testguest_t:s0 [bob@moppet ~]$ telnet irc.freenode.org 6667 Trying 94.125.182.252... telnet: connect to address 94.125.182.252: Permission denied
Best,