Confine almost all users as user_u.
/usr/sbin/semanage login -a -s user_u $user
Users who need admin access I confine as staff_u.
/usr/sbin/semanage login -a -s staff_u $user
There are 2 minor annoyances with this method.
First I like regular users to be able to ping. This is enabled as a boolean.
setsebool -P selinuxuser_ping on
And second, although staff_u can use sudo, they are still restricted by SELinux. To allow unlimited access, add or edit /etc/sudoers.d/sudo to read:
%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
Change “%user” to the user name you wish to allow unconfined root access.
Might also (or instead) change the default login mapping:
semanage login -m -S targeted -s user_u -r s0 __default__
If you don’t expect or intend to have any unconfined users, you can deny such logins:
setsebool -P unconfined_login off
Rather than changing sudo to run as unconfined by default, you can pass in the role as an option when you expect to need it; that way you can still run commands as root but with some confinement:
alias sado='sudo -r sysadm_r'
It should be noted that any staff_u can transition to sysadm_r via sudo -r or newrole so don’t rely on the sudoers trick for securing staff users.
It was on this post: https://thelinuxcauldron.wordpress.com/wp-admin/post.php?post=32&action=edit