How to create SELinux confined users
This page was created to set up SELinux confined users and to help with debugging issues related to using confined users.
Create new users assigned to particular SELinux users
Create 4 new Linux users assigned to a corresponding SELinux user:
PWD=${PWD-"my_p4ss-w0rd"} for username in guest xguest user staff do adduser -Z ${username}_u ${username} echo "${PWD}" | passwd --stdin "${username}" done
Assign a SELinux user to an existing Linux user
Change SELinux user for a Linux user:
$ sudo semanage login -a -s staff_u existinguser $ sudo semanage login -l Login Name SELinux User MLS/MCS Range Service ... existinguser staff_u s0-s0:c0.c1023 *
Assign a SELinux user an additional role
Allow the staff user to access the dbadm role which is not allowed to access by default.
$ sudo semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles ... staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r $ sudo semanage user -m -R "staff_r sysadm_r system_r unconfined_r dbadm_r" staff_u $ sudo semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles ... staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r dbadm_r
Assign admin roles to Linux users when they use sudo
For running commands using sudo, sudo can be configured so that the user id changes as well as the SELinux role and the corresponding type.
$ sudo cat > /etc/sudoers.d/admin-roles << EOF # staff can become sysadm for all commands and shell staff ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL # staff2 can only run networking commands #Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool #staff2 ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: NETWORKING # staff3 can become dbadm for databases administration #CMND_Alias DATABASES = /usr/bin/mariadb-admin /usr/bin/mysqladmin /usr/bin/psql #staff3 ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t NOPASSWD: DATABASES EOF
Refer to https://fedoraproject.org/wiki/SELinux/Debugging for additional debugging settings. Note in particular https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing and https://fedoraproject.org/wiki/SELinux/Debugging#Switch_the_system_to_SELinux_permissive_mode would be helpful. To gather debugging data, ensure the ausearch commands contains SELINUX_ERR message types.