[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Boolean or rule for preventing user_u for su or sudo

From: Eric Paris <eparis redhat com>
To: fluffie <adriangolding gmail com>
Cc: fedora-selinux-list redhat com
Subject: Re: Boolean or rule for preventing user_u for su or sudo
Date: Mon, 04 May 2009 11:22:11 -0400

On Sun, 2009-05-03 at 18:19 -0700, fluffie wrote:
> hi, 
> 
> i created a useruuser account which has SELinux User of "user_u". 
> and when i log in using that account, i cannot use 'su' or 'sudo'. 
> in particular, when i try to use 'sudo', there will be a permission denied
> message.
> 
> may i know where is the boolean or rule that specified this restriction?
> 
> thank you

That's one of the points of user_u, it can't get to root   :)

staff_u can get to sysadm_t (through sudo) which then has most admin
privs.  Although I beleive dwalsh would suggest staff_u -> unconfined_t
via sudo if you want an admin user.  (which would require adding
unconfined_r to staff_u I believe)

-Eric

References:
- Boolean or rule for preventing user_u for su or sudo
  - From: fluffie

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]