Skip to main content

Granting `sudo` Privileges to Confined Users

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this lab, we'll review the process of granting sudo privileges to SELinux confined users. When working with SELinux confined users, you may run into problems with Linux users not being able to use sudo anymore. We'll discuss why this happens and how to resolve the issue.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Granting sudo Privileges to Confined Users

Introduction

In this lab, we'll review the process of granting sudo privileges to SELinux confined users. When working with SELinux confined users, you may run into problems with Linux users not being able to use sudo anymore. We'll discuss why this happens and how to resolve the issue.

Connecting to the Lab

  1. Open your terminal application, and run the following command (remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page):
    ssh cloud_user@<PUBLIC_IP>
  2. Enter yes at the prompt.
  3. Enter your cloud_user password at the prompt.
  4. Become root.
    sudo su 

Map pbeesly and jhalpert to the Appropriate SELinux User

  1. Map the user pbeesly to the staff_u user.
    semanage login -a -s "staff_u" pbeesly
  2. View the current logins to verify that this was successful.
    semanage login -l
  3. Map the user jhalpert to the staff_u user.
    semanage login -a -s "staff_u" jhapert
  4. View the current logins to verify that this was successful.
    semanage login -l

Add pbeesly and jhalpert to the sudoers File

  1. Open the sudoers file.
    visudo
  2. Type / and search for the line root ALL=(ALL) ALL.
  3. Type i to enter insert mode.
  4. Under the line root ALL=(ALL) ALL, add the following two lines:
    pbeesly  ALL=(ALL)  TYPE=administrator_t  ROLE=administrator_r  /bin/sh
    jhalpert  ALL=(ALL)  TYPE=administrator_t  ROLE=administrator_r  /bin/sh
  5. Type :wq! to save and exit the file.

Update the SELinux Security Context of Each User's Home Directory

  1. View the current SELinux security context for both users.
    ls -lZ /home/
  2. Reset the SELinux security context for the user pbeasly.
    restorecon -FR -v /home/pbeesly
  3. Reset the SELinux security context for the user jhalpert.
    restorecon -FR -v /home/jhalpert
  4. Verify that the SELinux security context for both users has been updated.
    ls -lZ /home/

Conclusion

Congratulations, you've successfully completed this hands-on lab!