From Fedora Project Wiki

How to create SELinux confined users

This page was created to set up SELinux confined users and to help with debugging issues related to using confined users.

Create new users assigned to particular SELinux users

Create 4 new Linux users assigned to a corresponding SELinux user:

PWD=${PWD-"my_p4ss-w0rd"}
for username in guest xguest user staff
do
  adduser -Z ${username}_u ${username}
  echo "${PWD}" | passwd --stdin "${username}"
done

Assign a SELinux user to an existing Linux user

Change SELinux user for a Linux user:

$ sudo semanage login -a -s staff_u existinguser
$ sudo semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
...
existinguser         staff_u              s0-s0:c0.c1023       *

Assign a SELinux user an additional role

Allow the staff user to access the dbadm role which is not allowed to access by default.

$ sudo semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
...
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
$ sudo semanage user -m -R "staff_r sysadm_r system_r unconfined_r dbadm_r" staff_u
$ sudo semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
...
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r dbadm_r

Assign admin roles to Linux users when they use sudo

For running commands using sudo, sudo can be configured so that the user id changes as well as the SELinux role and the corresponding type.

$ sudo cat > /etc/sudoers.d/admin-roles << EOF
# staff can become sysadm for all commands and shell
staff        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
# staff2 can only run networking commands
#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
#staff2        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: NETWORKING
# staff3 can become dbadm for databases administration
#CMND_Alias DATABASES = /usr/bin/mariadb-admin /usr/bin/mysqladmin /usr/bin/psql
#staff3        ALL=(ALL)       ROLE=dbadm_r TYPE=dbadm_t NOPASSWD: DATABASES
EOF

Refer to https://fedoraproject.org/wiki/SELinux/Debugging for additional debugging settings. Note in particular https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing and https://fedoraproject.org/wiki/SELinux/Debugging#Switch_the_system_to_SELinux_permissive_mode would be helpful. To gather debugging data, ensure the ausearch commands contains SELINUX_ERR message types.