• 1
Yes you can write policy for a new confined user. You can use sepolgen or selinux-polgengui to get started writing policy.

Limiting binaries might be more difficult depending on the binaries. Rather then be concerned about the binaries, please state your use case in terms of which files a user can read/write, which network ports then can bind to or connect to.

Being able to execute /bin/cat is not a problem. Being able to /bin/cat /var/lib/TopSecret/Plans is a problem.

  • 1

Log in