====== Ubuntu - SELinux - Confine users ======

Confine almost all users as **user_u**.

<code bash>
/usr/sbin/semanage login -a -s user_u $user
</code>

----

Users who need admin access I confine as **staff_u**.

<code bash>
/usr/sbin/semanage login -a -s staff_u $user
</code>

There are 2 minor annoyances with this method.

First I like regular users to be able to ping.  This is enabled as a boolean.

<code bash>
setsebool -P selinuxuser_ping on
</code>

And second, although staff_u can use sudo, they are still restricted by SELinux.  To allow unlimited access, add or edit **/etc/sudoers.d/sudo** to read:

<file bash /etc/sudoers.d/sudo>
%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
</file>

Change “%user” to the user name you wish to allow unconfined root access.

----


Might also (or instead) change the default login mapping:

<code bash>
semanage login -m -S targeted -s user_u -r s0 __default__
</code>

If you don’t expect or intend to have any unconfined users, you can deny such logins:

<code bash>
setsebool -P unconfined_login off
</code>

Rather than changing sudo to run as unconfined by default, you can pass in the role as an option when you expect to need it; that way you can still run commands as root but with some confinement:

<code bash>
alias sado='sudo -r sysadm_r'
</code>

It should be noted that any staff_u can transition to sysadm_r via sudo -r or newrole so don’t rely on the sudoers trick for securing staff users.


It was on this post: https://thelinuxcauldron.wordpress.com/wp-admin/post.php?post=32&action=edit