On Sunday, March 21, 2021 8:08:32 AM AKDT Daniel Skip wrote: > Every time I run the command "sudo id -Z" it still says I am in the staff_r > role when I should be in the sysadm_r role because that's how I set it up > in my /etc/sudoers file which looks like this: > daniel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL > > > Furthermore, can anyone tell me what the best way to utilize RBAC on the > targeted policy would be? I was looking at using the secadm_r for only > installing policy instead of letting any other role do that but it looks > like that would only work if I transitioned my system to a MLS system. Any > ideas or help would be greatly appreciated. I'm not sure I can be of much help here, but I've been lurking here a while. Corporate and government-centric bureaucratic Mandatory Access Control policies such as SELinux remain highly controversial here in the "real world." Essentially, "staff_r" is seen as a front-counter customer service position, and you're putting in for a promotion to "sysadm_r" which is a management role. It's a bit like you have to polish up your whole résumé or curriculum vitae in order to do something like that, and there's a great deal of resistance from "the usual" office politics, and all the "buddies" at work who want to make sure the Mob can still hack your system no matter what. I use Fedora with the default "targeted" SELinux policies on my desktop but I have CentOS on OpenVZ shared-kernel virtualization "in the cloud" where SELinux is not really welcome anywhere from a professional customer service and support perspective. The "KVM" virtualization options that would potentially support SELinux or any arbitary operating system setups in the cloud tend not to be adequately secured at the hardware simulation level in order for it to make sense to enable SELinux. [justina@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 [justina@amarillo ~]$ sestatus SELinux status: disabled
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure