Hello,
It's been about a year since I played with Selinux. I recently created a new selinux login and mapped it to the "staff_u" selinux user. Everything seemed to work normal until I tried running the semanage commands and it denied me access. So for instance I would run "sudo semanage user -l" and I even added the staff role and type to allow it to use sudo but it still ended up not letting me access it. I'm almost certain it never gave me this kind of problem when I ran selinux a year ago.
I ran an ausearch and it gave me a bunch of stuff, so I figured I'd ask here see if anyone know what's with it or if I should even allow these rules. Let me know what you think.
"
require {
type bin_t;
type newrole_t;
type staff_t;
type staff_sudo_t;
type sysadm_sudo_t;
class lnk_file relabelfrom;
class dir search;
class file { open read };
}
fs_getattr_cgroup(newrole_t)
#============= staff_sudo_t ==============
allow staff_sudo_t bin_t:lnk_file relabelfrom;
dev_relabel_sysfs_dirs(staff_sudo_t)
files_list_lost_found(staff_sudo_t)
files_list_var(staff_sudo_t)
files_relabelfrom_boot_files(staff_sudo_t)
fs_read_configfs_dirs(staff_sudo_t)
init_read_state(staff_sudo_t)
#============= sysadm_sudo_t ==============
allow sysadm_sudo_t staff_t:dir search;
allow sysadm_sudo_t staff_t:file { open read };
abrt_stream_connect(sysadm_sudo_t)
cups_read_rw_config(sysadm_sudo_t)
files_list_lost_found(sysadm_sudo_t)
files_list_var(sysadm_sudo_t)
fs_read_configfs_dirs(sysadm_sudo_t)
init_read_state(sysadm_sudo_t)
seutil_get_semanage_read_lock(sysadm_sudo_t)
seutil_manage_module_store(sysadm_sudo_t)
seutil_read_module_store(sysadm_sudo_t)
"