Protect Files

To define a protected file in selang, enter the following command:
capamsc141
To define a protected file in selang, enter the following command:
newres FILE filename
For example, to register a file named/tmp/binary.bkup, enter the following command:
newres FILE /tmp/binary.bkup
When you define a file rule without specifying its access type, the default access of NONE is assigned. In this case, the owner of the file is the only one who can access the file.
Most protected files should be protected from access by the superuser. Otherwise, any user who knows the password of the superuser gains automatic access to the files. At the same time, you can prevent all other users except the owner of the file from accessing the file.
To protect several similarly named files, use a file name pattern that includes a wildcard. The wildcards are
*
(which indicates zero or more characters) and 
?
(which indicates any one character, other than
/
).
The pattern that you specify is matched against the full path name of the file so that the pattern /tmp/x* matches files that are named /tmp/x1, /tmp/xxx, and even /tmp/xdir/a.
Patterns that 
PAM Server Control
 does
not
let you specify are:
/*
,
/tmp/*
, and
/etc/*
.
Because file name patterns are such a powerful tool, do not experiment freely with them.
Example: The following command defines as protected every file in the /tmp directory that has a name starting with a, and ending with b. This would include a file like /tmp/axyz/axyzb :
newres FILE /tmp/a*b