review LAB - Restricting USB Device Access and Mit...

radzewi · ‎01-01-2024

Hello team,

I think this might be some issue with Lab: Restricting Access to USB Devices and Mitigating Risks in SELinux.

According to the lab instructions, you need to configure a devops user who cannot use the su command, but can use sudo and log in using ssh.

This LAB's solution guide shows that we should use sysadm_u, but that doesn't limit the use of su... Why isn't it staff_u?

Chetan_Tiwary_ · ‎01-02-2024

Hello @radzewi !
I see that what you stated is correct :

as step 9 in ch12s04 ( RH415v7.5 ) is asking to restrict su but not sudo :

I will report this issue to the curriculum team for rectification / explanation. Thanks for your time and reporting this here.

For the new v9 RH415 course ( in progress as of now ) - I dont see this comp review lab yet but this feedback will definitely help in such lab scenarios.

Ravi_Shanker · ‎01-07-2024

Additional learning I got is the new user confine selinux context settings would come in effect for fresh login to user. Logging in to user using su after changes and trying to test the new settings does not work. This is mentioned in the security guide but could not find in training. Thought this might be useful to share. Silly issue but I was trying to make settings work in my home lab for quite some time with no success as I had not taken a fresh login session.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_a...

Chapter 6

Certification ID: 111-010-393

review LAB - Restricting USB Device Access and Mitigating Risk with SELinux - selinux user