I can figure out how to map a SELinux user to an existing role, but how do I create new roles? I'm looking to create a restricted admin role for my box.
Redhat: How to create a new role with SELinux
redhatselinux
redhatselinux
I can figure out how to map a SELinux user to an existing role, but how do I create new roles? I'm looking to create a restricted admin role for my box.
Best Answer
Unless you want to rewrite pretty much the whole refpolicy, I see no use for a new role. Note that after creating it, you'll need to create custom policy rules for literally every module that role is supposed to be able to use.
My idea of giving a user a restricted administrator role is implemented by:
guest_u
, it is a highly confined (and already existing) SELinux user.sudo
rules to allow specific people to run specific commands in specific machines under an specific SELinux role and type.rbash
, a limitedPATH
, 2FA authentication, proper authorization, ...)The key point here is the ability to grant an unprivileged
guest_u
user the ability to run an elevated privilege command without ever leaving his/her restricted SELinux user mapping.Check the
sudoers(5)
manpage for details.To check for SELinux support in
sudo
, run:On RHEL,
sudo
has SELinux support enabled by default.