Restrict File Access

To restrict a file from access by the superuser in selang, use a longer version of the newres command. Example: To prevent the super user from accessing the file /tmp/binary.bkup, and any other user except the user myuser, use the following selang command:
capamsc141
To restrict a file from access by the superuser in selang, use a longer version of the newres command. Example: To prevent the super user from accessing the file /tmp/binary.bkup, and any other user except the user myuser, use the following selang command:
newres FILE /tmp/binary.bkup owner(myuser) defaccess(N)
This command does the following:
  1. Defines /tmp/binary.bkup as a protected file.
  2. Sets the user myuser as the owner of the file, granting myuser access to the file.
  3. Sets the default access of the file to NONE, preventing any other user from accessing the file. To permit other users access to the file, you must explicitly define access rules for that file.
If you invoke the selang command under root authority and then define FILE records without explicitly specifying another user as their owner, root becomes the owner of those files. As the owner, root (or any user who logs in as root) has complete and free access to the files.
You can set the token use_unix_file_owner in the seos.ini file to yes. This permits regular UNIX users to define access rules for the files they own.