Re: Why won't it let me transition from a staff_r role to a sysadm_r role?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday, March 21, 2021 8:08:32 AM AKDT Daniel Skip wrote:
> Every time I run the command "sudo id -Z" it still says I am in the staff_r
> role when I should be in the sysadm_r role because that's how I set it up
> in my /etc/sudoers file which looks like this:
 
> daniel  ALL=(ALL)  ROLE=sysadm_r  TYPE=sysadm_t  ALL
> 
> 
> Furthermore, can anyone tell me what the best way to utilize RBAC on the
> targeted policy would be? I was looking at using the secadm_r for only
> installing policy instead of letting any other role do that but it looks
> like that would only work if I transitioned my system to a MLS system. Any
> ideas or help would be greatly appreciated.

I'm not sure I can be of much help here, but I've been lurking here a while.

Corporate and government-centric bureaucratic Mandatory Access Control 
policies such as SELinux remain highly controversial here in the "real world." 
Essentially, "staff_r" is seen as a front-counter customer service position, 
and you're putting in for a promotion to "sysadm_r" which is a management 
role. It's a bit like you have to polish up your whole résumé or curriculum 
vitae in order to do something like that, and there's a great deal of 
resistance from "the usual" office politics, and all the "buddies" at work who 
want to make sure the Mob can still hack your system no matter what.

I use Fedora with the default "targeted" SELinux policies on my desktop but I 
have CentOS on OpenVZ shared-kernel virtualization "in the cloud" where 
SELinux is not really welcome anywhere from a professional customer service 
and support perspective.

The "KVM" virtualization options that would potentially support SELinux or any 
arbitary operating system setups in the cloud tend not to be adequately 
secured at the hardware simulation level in order for it to make sense to 
enable SELinux.

[justina@localhost ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

[justina@amarillo ~]$ sestatus
SELinux status:                 disabled

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux