rbac f9

Let us assume we want to make user "joe" our website operator.
"joe" should only be able to operate apache.
To operate apache one traditionally would need a root password.

In fedora 9 root can be confined to specific roles.
Also in Fedora 9 user no longer need a root password to gain root
privileges due to SELinux support built-in sudo.
Pre-Fedora 9 a combination of su and newrole was used to gain root
privileges. This required a user to enter his password for newrole and
then also the root password for su.

Here is how you do it:

1. useradd joe
2. passwd joe
3. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R "staff_r webadm_r" -P
user webadmin
4. /usr/sbin/semanage login -a -s webadmin -r s0-s0 joe
5. echo "joe ALL=(all) TYPE=webadm_t ROLE=webadm_r ALL" >> /etc/sudoers

When joe logs into the system, he will find himself in the staff_t user
domain (id -Z). This is a restricted user domain. The staff_r role is
similar to the user_r with the important exeption that staff_r may
transition to other , maybe more privileged, domain. unlike user_r.
user_r is confined to the user_t user domain, and may not transition.

If joe wants to, for example, restart the webserver, he can just type
sudo service httpd restart. Similar if joe wanted to edit a file that is
owned by apache, joe can edit the file in the webadm_t userdomain by
just typing sudo vi /etc/httpd/conf.d/httpd.conf.

Joe can also open a terminal session in the webadm_t domain by running:
sudo sh. If you would have even more roles, then joe would be able to
define in which user domain he wants to start a new terminal session:
sudo -t webadm_t -r webadm_r sh

Joe can even login to the system directly in the webadm_t domain by
using: ssh joe/webadm_r@localhost

You can delegate very specific administration tasks without having to
share the root password!