>From a traditional strict point of view (without unconfined), this is how the >workflow should be:
when you login directly as root you should get "sysadm_r:sysadm_t" (which is the strict equivalent to unconfined) when you want an unprivileged user (users in the "adm" group) to have root access with sysadm_r:sysadm_t, you would associate that user with staff_u: useradd -Z staff_u joe staff_u users should be able to transition to sysadm_r:sysadm_t with sudo: sudo -r sysadm_r -t sysadm_t -s or alternatively with newrole/su: newrole -r sysadm_r su unprivileged users that should never have root access should be associated with user_u: useradd -Z user_u jane -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

