SELinux

In Single user non-enforcing, you can run scripts to modify the system.

echo

echo Installing panel shortcuts

cp --backup=numbered --preserve -v -r ./panel /etc/xdg/xfce4/

rm /home/adminusr/.config -rf

chcon --recursive --user=system_u /etc/xdg/xfce4/panel

chmod 644 /etc/xdg/xfce4/panel/*

ls -laZ /etc/xdg/xfce4/panel

echo

echo Removing dictionary checking for Unix passwords

cp --backup=numbered --preserve -v ./system-auth /etc/pam.d/system-auth

chcon --user=system_u /etc/pam.d/system-auth

chmod 644 /etc/pam.d/system-auth

ls -laZ /etc/pam.d/system-auth*

echo

echo Changing Unix user inactive period to stop admins being locked out

cp --backup=numbered --preserve -v ./useradd /etc/default/useradd

chcon --user=system_u /etc/default/useradd

chmod 600 /etc/default/useradd

ls -laZ /etc/default/useradd*

echo

echo Changing adminusr inactive period to never

chage --inactive -1 adminusr

chage -M 99999 adminusr

echo

echo Changing Unix lockout to comply with ISM

cp --backup=numbered --preserve -v ./login /etc/pam.d/login

chcon --user=system_u /etc/pam.d/login

chmod 644 /etc/pam.d/login

ls -laZ /etc/pam.d/login*

cp --backup=numbered --preserve -v ./gdm /etc/pam.d/gdm

chcon --user=system_u /etc/pam.d/gdm

chmod 644 /etc/pam.d/gdm

ls -laZ /etc/pam.d/gdm*

echo

echo Updating Login Banner

cp --backup=numbered --preserve -v ./login-banner.conf /etc/login-banner/login-banner.conf

chmod 644 /etc/login-banner/login-banner.conf

ls -laZ /etc/login-banner/login-banner.conf*

echo

echo Updating Label Encodings

cp --backup=numbered --preserve -v ./Label_Encodings /etc/xxxxx/Label_Encodings

chmod 644 /etc/xxxxx/Label_Encodings

restorecon /etc/xxxxx/Label_Encodings*

cp --backup=numbered --preserve -v ./Label_Config /etc/xxxxx/Label_Config

chmod 644 /etc/xxxxx/Label_Config

restorecon /etc/xxxxx/Label_Config*

ls -laZ /etc/xxxxx/Label_*

Running a program as root from a script

#!/bin/bash

newrole -r sysadm_r -- -c "

echo Enter root password:

/bin/su - -c /somescript.sh