fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Boolean or rule for preventing user_u for su

Re: Boolean or rule for preventing user_u for su or sudo

From: Eric Paris <eparis_at_nospam>
Date: Mon May 04 2009 - 15:22:11 GMT
To: fluffie <adriangolding@gmail.com>

On Sun, 2009-05-03 at 18:19 -0700, fluffie wrote:
> hi,
> i created a useruuser account which has SELinux User of "user_u".
> and when i log in using that account, i cannot use 'su' or 'sudo'.
> in particular, when i try to use 'sudo', there will be a permission denied
> message.
> may i know where is the boolean or rule that specified this restriction?
> thank you

That's one of the points of user_u, it can't get to root :)

staff_u can get to sysadm_t (through sudo) which then has most admin privs. Although I beleive dwalsh would suggest staff_u -> unconfined_t via sudo if you want an admin user. (which would require adding unconfined_r to staff_u I believe)

-Eric -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list