Skip to content

Instantly share code, notes, and snippets.

@chicagobuss

chicagobuss/DO_ALL_THREE.md

Last active March 14, 2016 18:28
Show Gist options
  • Save chicagobuss/4bce05cf6de5a65b07cb to your computer and use it in GitHub Desktop.
Save chicagobuss/4bce05cf6de5a65b07cb to your computer and use it in GitHub Desktop.
Download ZIP
make selinux modules for jupyterhub using sudospawner
Raw
DO_ALL_THREE.md

Put this in sudo_exec_selinux.te:

module sudo_exec 1.1;

require {
        type unconfined_t;
        type sudo_exec_t;
        class file { read entrypoint };
}

#============= unconfined_t ==============
allow unconfined_t sudo_exec_t:file entrypoint;

Make a module with it: checkmodule -M -m -o sudo_exec_selinux.mod sudo_exec_selinux.te

Make a package with the module: semodule_package -o sudo_exec_selinux.pp -m sudo_exec_selinux.mod

Install the package: semodule -i sudo_exec_selinux.pp

Put this in service_sudo_exec.te:

module service_sudo_exec 1.1;

require {
        type unconfined_service_t;
        type unconfined_t;
        class process { transition };
}

#============= unconfined_service_t ==============
allow unconfined_service_t unconfined_t:process transition;

Make a module with it: checkmodule -M -m -o service_sudo_exec.mod service_sudo_exec.te

Make a package with the module: semodule_package -o service_sudo_exec.pp -m service_sudo_exec.mod

Install the package: semodule -i service_sudo_exec.pp

Put this in chkpwd_exec.te:

module chkpwd_exec 1.1;

require {
        type unconfined_t;
        type chkpwd_exec_t;
        class file{ entrypoint };
}

#============= unconfined_t ==============
allow unconfined_t chkpwd_exec_t:file entrypoint;

Make a module with it: checkmodule -M -m -o chkpwd_exec.mod chkpwd_exec.te

Make a package with the module: semodule_package -o chkpwd_exec.pp -m chkpwd_exec.mod

Install the package: semodule -i chkpwd_exec.pp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment