Restricting access to su or sudo

We can restrict a user from running the su or sudo commands by changing the user's SELinux user mapping like this:

semanage login -a -s user_u test

The preceding command will change the Linux test user's mapping to user_u and will not allow the su or sudo commands access.

Note

This will only take effect when the user is not logged in.

Restricting permissions to run scripts

To restrict the Linux test user's ability to run scripts we have to do two things. First, we change the user's mapping to guest_u, the same way as we did previously:

semanage login -a -s guest_u test

By default, SELinux allows users mapped to guest_t to execute scripts from their home directories. We can confirm the same using the following command: ...

Get Mastering CentOS 7 Linux Server now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering CentOS 7 Linux Server by Mohamed Alibi, Bhaskarjyoti Roy

Restricting access to su or sudo

Note

Restricting permissions to run scripts

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly