On Sun, Mar 21, 2021 at 5:12 PM Daniel Skip <eliascaplan7@xxxxxxxxx> wrote:
Every time I run the command "sudo id -Z" it still says I am in the staff_r role when I should be in the sysadm_r role because that's how I set it up in my /etc/sudoers file which looks like this:
daniel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL
I've just verified exactly this setting works as expected:
$ sudo id -Z
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for daniel:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for daniel:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Is there any additional information in the secure log, audit, journal? Other sudo settings work?
Furthermore, can anyone tell me what the best way to utilize RBAC on the targeted policy would be? I was looking at using the secadm_r for only installing policy instead of letting any other role do that but it looks like that would only work if I transitioned my system to a MLS system. Any ideas or help would be greatly appreciated.
Not completely sure what you have in mind, but you need to use the semanage-user command to add an additional admin role for a selinux user:
semanage user -m -R "sysadm_r secadm_r unconfined_r staff_r" staff_u
See also this article for more information:
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure