Decided to be proactive on the security-setup for my one project. Opted to confine my default-user to sysadm_u. However, as soon as I did that, I stopped being able to ssh into the resulting EC2 as the default-user. Turns out there's a bit more requirede in order to use that confinement with a user that also needs to be able to SSH into the host.
For those reading and who don't have a Red Hat login, if I want to confine a user to the to sysadm_u, I also need to ensure that my system-configuration automation includes:
Without the above, doing ansetsebool ssh_sysadm_login on setsebool -P ssh_sysadm_login on
ssh -v to the target user will show a spurious:Authenticated to 0.0.0.0 ([127.0.0.1]:22) using "publickey". debug1: pkcs11_del_provider: called, provider_id = (null) debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: filesystem full client_loop: send disconnect: Broken pipe
The `pledge: filesystem full` kinda threw me, at first, since I knew that neither my local nor my remote filesystem was full. So, I assumed that it was just a misleading error message (as seems to so often be the case when SELinux is involved). So, I searched for ssh login problems associated with the selected SELinux-confinement, which led me to the previously-linked Red Hat article.
I guess that's why the hardening guidelines show `staff_u` as the recommended confinement for administrator users?
Ultimately, I opted to use `staff_u`, instead. Having a cloud-config block like:
user: {
gecos: "GitLab Provisioning-Account (LOCAL)",
name: "${PROVISIONING_USER}",
selinux_user: 'staff_u',
sudo: ['ALL=(root) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD:ALL']
}ROLE and TYPE SELinux transition-mappings defined for my default-user eliminates the confusion that can result when confining a user to staff_u and not supplying a mapping. Without the mapping, if an confined admin-user executes `sudo -i`, they get all sorts of unexpected `permission denied` errors.
