On Sun, Mar 21, 2021 at 5:12 PM Daniel Skip <eliascaplan7(a)gmail.com> wrote:
Every time I run the command "sudo id -Z" it still says I
am in the
staff_r role when I should be in the sysadm_r role because that's how I set
it up in my /etc/sudoers file which looks like this:
daniel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL
I've just verified exactly this setting works as expected:
$ sudo id -Z
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for daniel:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Is there any additional information in the secure log, audit, journal?
Other sudo settings work?
Furthermore, can anyone tell me what the best way to utilize RBAC on the
targeted policy would be? I was looking at using the secadm_r for only
installing policy instead of letting any other role do that but it looks
like that would only work if I transitioned my system to a MLS system. Any
ideas or help would be greatly appreciated.
Not completely sure what you have in mind, but you need to use the
semanage-user command to add an additional admin role for a selinux user:
semanage user -m -R "sysadm_r secadm_r unconfined_r staff_r" staff_u
See also this article for more information:
https://lukas-vrabec.com/index.php/2019/06/16/distinguish-sysadm-and-seca...
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team