Confine almost all users as user_u.

/usr/sbin/semanage login -a -s user_u $user

Users who need admin access I confine as staff_u.

/usr/sbin/semanage login -a -s staff_u $user

There are 2 minor annoyances with this method.

First I like regular users to be able to ping. This is enabled as a boolean.

setsebool -P selinuxuser_ping on

And second, although staff_u can use sudo, they are still restricted by SELinux. To allow unlimited access, add or edit /etc/sudoers.d/sudo to read:

/etc/sudoers.d/sudo

%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

Change “%user” to the user name you wish to allow unconfined root access.

Might also (or instead) change the default login mapping:

semanage login -m -S targeted -s user_u -r s0 __default__

If you don’t expect or intend to have any unconfined users, you can deny such logins:

setsebool -P unconfined_login off

Rather than changing sudo to run as unconfined by default, you can pass in the role as an option when you expect to need it; that way you can still run commands as root but with some confinement:

alias sado='sudo -r sysadm_r'

It should be noted that any staff_u can transition to sysadm_r via sudo -r or newrole so don’t rely on the sudoers trick for securing staff users.

It was on this post: https://thelinuxcauldron.wordpress.com/wp-admin/post.php?post=32&action=edit