Restricting access to su or sudo

We can restrict a user from running the su or sudo commands by changing the user's SELinux user mapping like this:

semanage login -a -s user_u test

The preceding command will change the Linux test user's mapping to user_u and will not allow the su or sudo commands access.


This will only take effect when the user is not logged in.

Restricting permissions to run scripts

To restrict the Linux test user's ability to run scripts we have to do two things. First, we change the user's mapping to guest_u, the same way as we did previously:

semanage login -a -s guest_u test

By default, SELinux allows users mapped to guest_t to execute scripts from their home directories. We can confirm the same using the following command: ...

Get Mastering CentOS 7 Linux Server now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.