• 1

Re: confined system accounts?

If you have a normal user on a machine, then I would run them with the user_u:user_r:user_t:s0-s0:c0.c1023 types. Normal user means someone who will never become an administrator. If I want someone to administrate some component of the machine I would log them in as staff_u:staff_r:staff_t:s0 and have them transition to a confined admin role through sudo like webadm_r. If I want to allow a user to be a full admin I would log them in as staff_u:staff_r:staff_t... And have them transition to sysadm_r:sysadmin_t through sudo.

If you want to have users with different capabilities on the same machine you could create additional user types like mywebadm_u which would login by default as staff_r and transition to webadm_r.

  • 1

Log in