Boolean or rule for preventing user_u for su or sudo
Eric Paris
eparis at redhat.com
Mon May 4 15:22:11 UTC 2009
On Sun, 2009-05-03 at 18:19 -0700, fluffie wrote:
> hi,
>
> i created a useruuser account which has SELinux User of "user_u".
> and when i log in using that account, i cannot use 'su' or 'sudo'.
> in particular, when i try to use 'sudo', there will be a permission denied
> message.
>
> may i know where is the boolean or rule that specified this restriction?
>
> thank you
That's one of the points of user_u, it can't get to root :)
staff_u can get to sysadm_t (through sudo) which then has most admin
privs. Although I beleive dwalsh would suggest staff_u -> unconfined_t
via sudo if you want an admin user. (which would require adding
unconfined_r to staff_u I believe)
-Eric
More information about the selinux
mailing list