• 1
It is a good to have this possibility.
I have a question. Is it required by any policy/law/standard to lock the system in this way?

On an MLS machine you would not want to have an unconfined domain

You would want to control all domains to as close to least privilege as possible.

But in general I think it is a good idea to run with the unconfined.pp and permissivedomains.pp file disable.

I tend to leave the unconfineduser domain, although I have setup my own user to login as staff_t and become sysadm_t when I am root.

  • 1

Log in