.SELinux `staff_u` users no longer can incorrectly switch to `unconfined_r`
Previously, when the `secure_mode` boolean was enabled, `staff_u` users could switch to the `unconfined_r` role, which was not expected behavior. As a consequence, `staff_u` users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and `staff_u` users no longer can incorrectly switch to `unconfined_r`.
rhel9# seinfo -xaunpriv_userdomain
Type Attributes: 1
attribute unpriv_userdomain;
guest_t
staff_t
staff_wine_t
unconfined_t
^^^
user_t
user_wine_t
xguest_t
There will be a few dependent fixes needed, e. g.
https://bugzilla.redhat.com/show_bug.cgi?id=2076682
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:8283
rhel9# seinfo -xaunpriv_userdomain Type Attributes: 1 attribute unpriv_userdomain; guest_t staff_t staff_wine_t unconfined_t ^^^ user_t user_wine_t xguest_t There will be a few dependent fixes needed, e. g. https://bugzilla.redhat.com/show_bug.cgi?id=2076682