Restricting access to su or sudo
We can restrict a user from running the su
or sudo
commands by changing the user's SELinux user mapping like this:
semanage login -a -s user_u test
The preceding command will change the Linux test
user's mapping to user_u
and will not allow the su
or sudo
commands access.
Note
This will only take effect when the user is not logged in.
Restricting permissions to run scripts
To restrict the Linux test
user's ability to run scripts we have to do two things. First, we change the user's mapping to guest_u
, the same way as we did previously:
semanage login -a -s guest_u test
By default, SELinux allows users mapped to guest_t
to execute scripts from their home directories. We can confirm the same using the following command: ...
Get Mastering CentOS 7 Linux Server now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.