Hello,
It's been about a year since I played with Selinux. I recently created a new selinux
login and mapped it to the "staff_u" selinux user. Everything seemed to work
normal until I tried running the semanage commands and it denied me access. So for
instance I would run "sudo semanage user -l" and I even added the staff role and
type to allow it to use sudo but it still ended up not letting me access it. I'm
almost certain it never gave me this kind of problem when I ran selinux a year ago.
I ran an ausearch and it gave me a bunch of stuff, so I figured I'd ask here see if
anyone know what's with it or if I should even allow these rules. Let me know what you
think.
"
require {
type bin_t;
type newrole_t;
type staff_t;
type staff_sudo_t;
type sysadm_sudo_t;
class lnk_file relabelfrom;
class dir search;
class file { open read };
}
fs_getattr_cgroup(newrole_t)
#============= staff_sudo_t ==============
allow staff_sudo_t bin_t:lnk_file relabelfrom;
dev_relabel_sysfs_dirs(staff_sudo_t)
files_list_lost_found(staff_sudo_t)
files_list_var(staff_sudo_t)
files_relabelfrom_boot_files(staff_sudo_t)
fs_read_configfs_dirs(staff_sudo_t)
init_read_state(staff_sudo_t)
#============= sysadm_sudo_t ==============
allow sysadm_sudo_t staff_t:dir search;
allow sysadm_sudo_t staff_t:file { open read };
abrt_stream_connect(sysadm_sudo_t)
cups_read_rw_config(sysadm_sudo_t)
files_list_lost_found(sysadm_sudo_t)
files_list_var(sysadm_sudo_t)
fs_read_configfs_dirs(sysadm_sudo_t)
init_read_state(sysadm_sudo_t)
seutil_get_semanage_read_lock(sysadm_sudo_t)
seutil_manage_module_store(sysadm_sudo_t)
seutil_read_module_store(sysadm_sudo_t)
"