Restricting access to su or sudo
We can restrict a user from running the
sudo commands by changing the user's SELinux user mapping like this:
semanage login -a -s user_u test
The preceding command will change the Linux
test user's mapping to
user_u and will not allow the
sudo commands access.
This will only take effect when the user is not logged in.
Restricting permissions to run scripts
To restrict the Linux
test user's ability to run scripts we have to do two things. First, we change the user's mapping to
guest_u, the same way as we did previously:
semanage login -a -s guest_u test
By default, SELinux allows users mapped to
guest_t to execute scripts from their home directories. We can confirm the same using the following command: ...