Once logged in to a system, our user will run inside a certain context. This user context defines the rights and privileges that we, as a user, have on the system. The command to obtain current user information, id, also supports displaying the current SELinux context information:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023On SELinux systems with a targeted policy type, chances are very high that all users are logged in asunconfined_u(the first part of the context). On more restricted systems, the user can beuser_u(regular restricted users),staff_u(operators),sysadm_u(system administrators), or any of the other SELinux users.
The SELinux user defines the roles that the user can switch to. SELinux roles themselves define the application domains that the user can use. By default, a fixed number of SELinux users are available on the system, but administrators can create additional SELinux users. It is also the administrator’s task to assign Linux logins to SELinux users.
SELinux roles, on the other hand, cannot be created through administrative commands, as SELinuxroles are part of the SELinux policy. For this, the SELinux policy needs to be enhanced with additional rules that create the role.
To view the currently available roles, useseinfo:
# seinfo --role
Roles: 14
auditadm_r
dbadm_r
...
xguest_rSELinux roles can be coarse-grained (such assysadm_r) or more functionality-oriented (such asdbadm_r). Custom SELinux roles can even be very fine-grained, only granting the ability to transition into limited domains.
Let’s see how to create and manage SELinux users.