On 11/16/2021 5:53 AM, Topi Miettinen wrote:
Describe some easy and more difficult methods to harden SELinux policies. Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> ---
[snip]
+## Users and Roles + +In the "targeted" model, both unprivileged users and the system +administrator (`root`) are unconfined and the TE rules are very +relaxed. However, it's possible to change the SELinux user for these +accounts to more confined variants. + +For the unprivileged users, the confined user in the Reference Policy +is `user_u` with corresponding role `user_r`. There's also `staff_u` +and `staff_r` to allow transitioning to system administrative roles by +logging in as `staff_u:staff_r` and escalating to `staff_u:sysadm_r` +or another role for administrative tasks with ***newrole**(1)*. + +For the system administrator there are several options: `root` SELinux +user, which is mostly unconfined and `sysadm_u`, which is more +confined. The role for both is `sysadm_r`. + +It's also possible to divide the powers of the system administrator to +several roles, `sysadm_r`, `auditadm_r`, `logadm_r`, `dbadm_r` and +`secadm_r`. This can be useful when an organization wants to ensure +that even the system administrators can be held accountable for their +actions. The roles can be also useful for management of labor, for +example having dedicated persons for managing databases or SELinux +policies. + +It should be noted that since this isn't the default way of operating +SELinux, the Reference Policy may need to be supplemented and the +administrators, even users, may need to be more aware of SELinux in +order to be able to operate the system. + +Example: +``` +# User `test` has beed added earlier with `adduser` or `useradd`. +semanage login --add --seuser user_u --range 's0' test +```
s/beed/been/ Looks good to me other than that. FWIW: Reviewed-by: Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx>
