Rqgg Page 1/2


Dec 9, 2013 (4 years and 7 months ago)


Fedora 19 with SELinux - security policy to authorize some users to start / stop certain services - how to?
Asked by
on 2013-08-20T09:22:50-04:00
my question is how to give certain users authorization to start and stop certain services?

I am asking specifically about Fedora systems with SELinux installed.

The utility to call for services administration is in this case "systemctl"

What type of SELinux security policy do I have to write? Where? How? Any references?

Thank you very much

Best Answer
Answer by
on 2013-08-20T10:27:31-04:00
RHEL doesn't yet have systemd, so the approach for Fedora 19 and RHEL will be dramatically

At any rate, what you are trying to do is not sanely possible. You'd have to create a separate login
role for each user and grant it ability to execute systemd without transitioning into systemd domain --
at which point you'd have to pretty much clone the entire systemd policy into each user's domain
and then write another policy for executing each service. Per user. Unless you already have a really
awesome understanding of SELinux and are already really excellent at writing SELinux policies (and
really love M4), I strongly suggest not going down this route.

Just add sudo rules per user to allow executing things like "/sbin/service foo restart" or
"/bin/systemctl restart foo.service". If you want to add SELinux into the fray, make these users
staff_u and the rest user_u.

Aug 20th, 2013
Week 34, 2013
August, 2013
how to execute commands (remote, asynchronous, pull)
How do I install Fedora 18 without SELinux?
file still read-only after a mount --bind from a rw partition
scp to /home changes permissions?
Merging preexisting source folders in mksquashfs
Import EPEL GPG key in kickstart post-installation
How do I set up proper ownership of these files?
Sendmail relay without authentication
Page 1/2
Fedora 19 with SELinux - security policy to authorize some users to start / stop certain services - how to?
iptables prevents connection via ssh after port change despite ACCEPT rule
What is the safe way to allow Java 7 to run on SELinux
View Online
Page 2/2