• 1

confined system accounts?

Hello Dan. On a systemd-enabled machine what do you think is the appropriate role for the system accounts(postfix,mysql,apache etc)when one has disabled unconfineduser and unconfined domain? I am thinking user_r but can this identity/role(user_u/user_r) restart system services? Even though DAC rules forbid these accounts to access a shell, i think the best practice would be to confine them with selinux rbac to prevent even the slightest possibility for a privilege escalation.

Re: confined system accounts?

If you have a normal user on a machine, then I would run them with the user_u:user_r:user_t:s0-s0:c0.c1023 types. Normal user means someone who will never become an administrator. If I want someone to administrate some component of the machine I would log them in as staff_u:staff_r:staff_t:s0 and have them transition to a confined admin role through sudo like webadm_r. If I want to allow a user to be a full admin I would log them in as staff_u:staff_r:staff_t... And have them transition to sysadm_r:sysadmin_t through sudo.

If you want to have users with different capabilities on the same machine you could create additional user types like mywebadm_u which would login by default as staff_r and transition to webadm_r.

  • 1

Log in