Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.
Is this for real or is there any trick behing such setup?
This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.
What one usually conceives as the root user should be mapped in SELinux as a
root Unix user running either the
sysadm_t SELinux domain.
It is the classical full-powered omnipotent root user.
However, one could perfectly setup his system to spawn a root shell (I mean
root Unix user shell) running the restricted user
user_t SELinux domain.
As per SELinux policies, such shell would be no different than any other
restricted user shell and would have no special privilege on the system, thus
effectively confining the root user.
Appart from an experimental point-of-view, doing such thing as-is has no practical use. However similar practices find their way in the real world.
A classic example can be a database administrator needing to be able to
stop/start the database daemons, edit configuration files, etc.
Without SELinux, all these actions would require the user to escalate toward
root privileges (even if it is normally for a single command line via the
sudo tool for instance, but even that may be prone to leaks).
Thanks to SELinux, we can give this user a genuine root shell, but instead
sysadm_t domains it will run the
This mean that he will have more privileges than a restricted user, but these
new privileges will be limited to what is needed to administrate the database
server: this user will not be able to tamper with other services, files or run
other administrative commands than those strictly required to do his job.
The same way, the web server and other services administrators could also have other root shells running in parallel on the same system, every one will see their current Unix user being root, but thanks to SELinux each one will have effectively different privileges limited to what is needed for their own purposes.
Article based on a StackExchange answer.