Selinux and confined users

I admit to a paranoid streak and have been confining my users with selinux.

I confine almost all users as user_u

/usr/sbin/semanage login -a -s user_u $user

Users who need admin access I confine as staff_u

/usr/sbin/semanage login -a -s staff_u $user

There are 2 minor annoyances with this method.

First I like regular users to be able to ping. This is enabled as a boolean.

setsebool -P selinuxuser_ping on

And second, although staff_u can use sudo, they are still restricted by selinux. To allow unlimited access, add or edit /etc/sudoers.d/sudo to read

%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

Change “%user” to the user name you wish to allow unconfined root access.

This entry was posted in Fedora, Linux. Bookmark the permalink.

4 Responses to Selinux and confined users

  1. Dag says:

    Might also (or instead) change the default login mapping:

    semanage login -m -S targeted -s user_u -r s0 __default__

    If you don’t expect or intend to have any unconfined users, you can deny such logins:

    setsebool -P unconfined_login off

    Rather than changing sudo to run as unconfined by default, you can pass in the role as an option when you expect to need it; that way you can still run commands as root but with some confinement:

    alias sado='sudo -r sysadm_r'

  2. Dag says:

    It should be noted that any staff_u can transition to sysadm_r via sudo -r or newrole so don’t rely on the sudoers trick for securing staff users.

  3. bodhi.zazen says:

    @Dag – Thank you for taking the time to comment. I will look at some of those options.

  4. Glad to see you are still posting. I used to read your site a TON years ago, and in recent months heavily got involved with Linux again, I am on many distros, primarily Mint. I was modding comments and I remember how helpful you were.

    It was on this post:

    I was inspired after losing out on a position at work, to really get back to my Linux roots, and happy to say I am sans Windows at home now. And very happy each day I have something new to discover.

    Take care


Leave a Reply

Your email address will not be published. Required fields are marked *