SELinux user context staff_u and sudo issues. Also, question related to setting conte
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SELinux user context staff_u and sudo issues. Also, question related to setting conte
1. I am having issues with sudo and staff_u user context in SELinux. According to RHEL documentation, staff_u is supposed to provide user with sudo access (but not su access), but this is not working out. Here's what's happening:
2. I am wondering what the difference is between the two following commands:
a. semanage login -m -s staff_u __default__
b. semanage login -m -S targeted -s staff_u -r s0 __default__
I have always used the first command, but in doing some reading online I also see the second command used quite frequently.
3. I know I can get a listing of file contexts doing an seinfo -t (for example, seinfo -t | grep public_content), and I also know that I can find what the context for a file should be by doing matchpathcon <file>, but I am wondering, how do I find out what the contexts actually mean? For example, semanage boolean -l will show me all SELinux booleans and what they do, but semanage fcontext -l does not do this. Let's say I am wondering what public_content_rw_t does, how would I find that out?
That's because SELinux is a bit of niche skill.
Unfortunately, now you've answered yourself, that takes it off the zero-reply list, which would normally get it bumped up automatically ...
One option may be to ask the Mods (via the Report button) to move it to the Security forum; you might do better over there.
Do NOT re-post this as a duplicate question; thank you.
Thank you for the reply! I was beginning to think I posted in the wrong subforum, but didn't want to crosspost. I didn't realize I could report my post, so that's really good to know. I reported the post. Thank you so much for your help!
I am not an selinux expert, so I may be wrong, but it looks to me like your problem is that your user needs to assume the sysadm_r (system admin role). The user staff_u has this capability, but unless they change roles they will not be able to use privileged commands.
I am not an selinux expert, so I may be wrong, but it looks to me like your problem is that your user needs to assume the sysadm_r (system admin role). The user staff_u has this capability, but unless they change roles they will not be able to use privileged commands.
Here's the output from "semanager user -l | grep staff_u"
Quote:
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
The odd thing that I don't fully understand here is that staff_r is mapped to the role of unconfined_r, which doesn't make any sense to me at all. Anyway, I installed policycoreutils-newrole and then tried "newrole -r sysadm_r," typed my password, and still sudo doesn't work.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.