On Tue, 2012-03-27 at 17:28 -0600, Kevin Fenzi wrote:
Note that folks who need to sudo need to still be unconfined right?
No, you want them to be staff_u and add the following to your sudoers:
%wheel ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
This will transition to unconfined upon sudo.
BTW, I just found out that guest_u (and, by extension, my testguest_u) still allows sshd forwarding -- I guess it's hard to restrict that on the SELinux level. It can be disallowed in sshd config, though, including by group:
AllowTcpForwarding no Match Group wheel AllowTcpForwarding yes
Best,