[DSE-Dev] Bug#933858: (no subject)

Dominick Grift dominick.grift at defensec.nl
Tue Aug 6 11:58:29 BST 2019


>From a traditional strict point of view (without unconfined), this is how the workflow should be:

when you login directly as root you should get "sysadm_r:sysadm_t" (which is the strict equivalent to unconfined)
when you want an unprivileged user (users in the "adm" group) to have root access with sysadm_r:sysadm_t, you would associate that user with staff_u:
useradd -Z staff_u joe
staff_u users should be able to transition to sysadm_r:sysadm_t with sudo:
sudo -r sysadm_r -t sysadm_t -s
or alternatively with newrole/su:
newrole -r sysadm_r
su
unprivileged users that should never have root access should be associated with user_u:
useradd -Z user_u jane

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift



More information about the SELinux-devel mailing list