October 18th, 2013

Difference between a Confined User (staff_u) and a Confined Administrator.

Confined users have been around for a while, and several people have used them.  I use the staff_u user for my logins.


One common mistake people make when they use confined users is they expect them to work when running as root.

Which of course the don't!!!  They are CONFINED.

The idea of a confined user is to control the access is available to a logged in user.  If the user needs to do administrative tasks as root, he needs to become a Confined Administrator.

This means if you are logged in as a confined user SELinux will prevent you from running most programs that will make you root including "su".

In SELinux we have the concept of a process transition.  When we use confined users we like to transition the Confined User process to a Confined Administrator when the process needs to run as root.    Another way to look at this is Roles Based Access Control (RBAC).  Which means that when I log into a machine I have one Role, but if I want to administrate the machine I need to switch to a different Role.

In SELinux we currently have two different ways to change Roles, or to switch from a Confined User to a Confined Administrator.

  1. newrole - This command can be executed by a user and will request to the SELinux Kernel to change its role, if allowed by policy.  The problem with this tool is you still need to change to root, via su or sudo.

  2. sudo - We allow you to change both your SELinux Role/Type in sudo as well as become root.

In my case I run my login as staff_u:staff_r:staff_t:s0-s0:c0.c1023, and when I execute a command through sudo, sudo transitions my process to staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.  If you want to run with a slightly confined administrator you could setup a transition to staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023, which I like to call the drunken unconfined_t, it can do everything unconfined_t can do, but stumbles around alot.

We also have a few other confined administrators like:

  1. webadm_t, which can only administrate apache types.

  2. dbadm_t which can administrate types associated with mysql and postgresql.

  3. logadm_t which can administrate types associated with syslog and auditlog

  4. secadm_t which can only administrate SELinux controls

  5. auditadm_t which can only administrate the audit subsystem.

It is fairly easy to add additional confined administrator types using sepolicy/sepolgen.

To configure an Confined User/Confined Administrator pair, you need to do a few steps.

Note: You could skip the first two steps and just use staff_u

Step 1:  Create a Brand New SELinux User Definition confined_u

# semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r webadm_r sysadm_r system_r" confined_u

Note: I added roles staff_r which will be the role of the confined user when he logs in.  The other roles are potential roles that the user will use when he is an administrator.  Only one of these roles is required "unconfined_r webadm_r sysadm_r " but I added them all to give you options.  system_r is in there to allow you to restart system services.  You would not need this on a systemd system, or if you were going to user run_init.  But if you want to just use "service restart foobar" on a system V system like RHEL6 you need to have this role.

Step 2:  We need to setup the default context file to tell programs like sshd or xdm which one of the roles/types we would like to use by default.  We are simply going to copy the staff_u context file.  You could also use IPA to override this selection.

# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u

Step 3: Now we want to configure our Linux Account to use the SELinux User
# semanage login -a -s confined_u -rs0:c0.c1023 dwalsh

Note: In stead of using a user name you could use a linux group like wheel, by specifying %wheel.  Also if you want to modify the default for all users that are not specified you could use the name __default__.

Step 4:  Now you need to configure sudo to transition your Confined User process to a Confined Administrator
You can either modify the /etc/sudoers file with a line like the following.

echo "%wheel    ALL=(ALL)  TYPE=unconfined_t ROLE=unconfined_r    ALL" >> /etc/sudoers

Or add a file to /etc/sudoers.d

echo "dwalsh   ALL=(ALL)  TYPE=webadm_t ROLE=webadm_r   /bin/sh " > /etc/sudoers.d/dwalsh

It would not hurt to relabel your homedir at this point.

# restorecon -R -v /home/dwalsh

Now if you were already logged in as you user account, you were probably running processes as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, so you might want to reboot to make sure everything is cleaned up.

After reboot, when you login you should see your processes running as

> id -Z

Now you should not be allowed to run the su command (unless you newrole to an admin role), but if you execute

> sudo -i
# id -Z