• 1

preventing file reads

in your case how can one prevent unconfined users, root etc. from reading
a file created by the sandbox_t domain?

i was hoping something like the following would work(but it does not):
neverallow {domain -mysandbox_t} mysandbox_rw_t:file *;


Re: preventing file reads

Well the idea is sandbox_t domain is not able to create any files. it is only able to read/write open files handed to the sandbox. Trying to prevent unconfined users from reading sandbox files is not the goal. If you want to have confined users then you need to set those up on your system. I have written previously on how to do this.

  • 1

Log in