Auf Alma Linux 9 nach https://danwalsh.livejournal.com/66587.html ----------------------------------------------------------------- root@alma9 ~# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r root@alma9 ~# root@alma9 ~# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * root@alma9 ~# root@alma9 ~# useradd -m greenhorn root@alma9 ~# echo greenhorn:green | chpasswd root@alma9 ~# root@alma9 ~# semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r webadm_r sysadm_r system_r" confined_u root@alma9 ~# root@alma9 ~# seinfo -u Users: 9 confined_u guest_u root staff_u sysadm_u system_u unconfined_u user_u xguest_u root@alma9 ~# root@alma9 ~# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u root@alma9 ~# root@alma9 ~# semanage login -a -s confined_u -rs0:c0.c1023 greenhorn root@alma9 ~# root@alma9 ~# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles confined_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r webadm_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r root@alma9 ~# root@alma9 ~# # => jetzt sehen wir hier den neuen SELinux-User "confined_u" root@alma9 ~# visudo root@alma9 ~# root@alma9 ~# grep -C1 ^root /etc/sudoers ## Allow root to run any commands anywhere root ALL=(ALL) ALL greenhorn ALL=(ALL) TYPE=webadm_t ROLE=webadm_r /bin/sh root@alma9 ~# root@alma9 ~# restorecon -vRF /home/greenhorn/ Relabeled /home/greenhorn from staff_u:object_r:user_home_dir_t:s0 to confined_u:object_r:user_home_dir_t:s0 Relabeled /home/greenhorn/.bash_logout from staff_u:object_r:user_home_t:s0 to confined_u:object_r:user_home_t:s0 Relabeled /home/greenhorn/.bash_profile from staff_u:object_r:user_home_t:s0 to confined_u:object_r:user_home_t:s0 Relabeled /home/greenhorn/.bashrc from staff_u:object_r:user_home_t:s0 to confined_u:object_r:user_home_t:s0 Relabeled /home/greenhorn/.bash_history from unconfined_u:object_r:user_home_t:s0 to confined_u:object_r:user_home_t:s0 root@alma9 ~# Danach direkt an der virtuellen Konsole z.B. tty1 als greenhorn einloggen: [greenhorn@alma9 ~]$ id -Z confined_u:staff_r:staff_t:s0:c0.c1023 [greenhorn@alma9 ~]$ [greenhorn@alma9 ~]$ [greenhorn@alma9 ~]$ ls -ldZ drwx------. 2 greenhorn greenhorn confined_u:object_r:user_home_dir_t:s0 113 Apr 24 09:40 . [greenhorn@alma9 ~]$ [greenhorn@alma9 ~]$ [greenhorn@alma9 ~]$ sudo sh [sudo] password fur greenhorn: sh-5.1# sh-5.1# id -Z confined_u:webadm_r:webadm_t:s0:c0.c1023 sh-5.1# sh-5.1# # => hier ist der Übergang seiner Prozesse sehr schön zu sehen sh-5.1# sh-5.1# id uid=0(root) gid=0(root) groups=0(root) context=confined_u:webadm_r:webadm_t:s0:c0.c1023 sh-5.1# sh-5.1# # => wobei er eigentlich root ist, aber doch nur ziemlich eingeschränkt unterwegs sein darf!