My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:
semanage user --add --roles secadm_r secadm_u
useradd -m -U -Z secadm_u secadm
Because under DAC, secadm is a general user, which causes operations like setenforce to fail, because the interface files under /sys/fs/selinux require the write permission of the owner root, for example, the disable file can only be written by the owner root,
# ll /sys/fs/selinux/disable
--w-------. 1 root root 0 Jan 1 1970 /sys/fs/selinux/disable
and the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of /sys/fs/selinux ?
My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:
Because under DAC,
secadmis a general user, which causes operations likesetenforceto fail, because the interface files under/sys/fs/selinuxrequire the write permission of the owner root, for example, thedisablefile can only be written by the owner root,# ll /sys/fs/selinux/disable --w-------. 1 root root 0 Jan 1 1970 /sys/fs/selinux/disableand the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of
/sys/fs/selinux?