default user context on

Konstantin Ryabitsev icon at
Wed Mar 28 00:51:46 UTC 2012

On Tue, 2012-03-27 at 17:28 -0600, Kevin Fenzi wrote:
> Note that folks who need to sudo need to still be unconfined right? 

No, you want them to be staff_u and add the following to your sudoers:

        %wheel ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

This will transition to unconfined upon sudo.

BTW, I just found out that guest_u (and, by extension, my testguest_u)
still allows sshd forwarding -- I guess it's hard to restrict that on
the SELinux level. It can be disallowed in sshd config, though,
including by group:

        AllowTcpForwarding no
        Match Group wheel
        AllowTcpForwarding yes

Konstantin Ryabitsev
Systems Administrator,
Montréal, Québec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the infrastructure mailing list