Differences

This shows you the differences between two versions of the page.

--- selinux:confine_users [2016/07/05 18:40] – peter
+++ selinux:confine_users [2019/12/04 20:19] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== SELinux - Confine users ======
-Confine almost all users as **user_u**.
-<code bash>
-/usr/sbin/semanage login -a -s user_u $user
-</code>
-Users who need admin access I confine as **staff_u**.
-<code bash>
-/usr/sbin/semanage login -a -s staff_u $user
-</code>
-There are 2 minor annoyances with this method.
-First I like regular users to be able to ping.  This is enabled as a boolean.
-<code bash>
-setsebool -P selinuxuser_ping on
-</code>
-And second, although staff_u can use sudo, they are still restricted by SELinux.  To allow unlimited access, add or edit **/etc/sudoers.d/sudo** to read:
-<file bash /etc/sudoers.d/sudo>
-%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
-</file>
-Change “%user” to the user name you wish to allow unconfined root access.
-Might also (or instead) change the default login mapping:
-<code bash>
-semanage login -m -S targeted -s user_u -r s0 __default__
-</code>
-If you don’t expect or intend to have any unconfined users, you can deny such logins:
-<code bash>
-setsebool -P unconfined_login off
-</code>
-Rather than changing sudo to run as unconfined by default, you can pass in the role as an option when you expect to need it; that way you can still run commands as root but with some confinement:
-<code bash>
-alias sado='sudo -r sysadm_r'
-</code>
-It should be noted that any staff_u can transition to sysadm_r via sudo -r or newrole so don’t rely on the sudoers trick for securing staff users.
-It was on this post: https://thelinuxcauldron.wordpress.com/wp-admin/post.php?post=32&action=edit