User Declarations
User declarations associate roles with SELinux users. A user cannot enter a role unless the role has been associated with the user’s current identity.
Figure 6-14 shows the syntax of user declarations.
Figure 6-14. User declaration syntax
Here are typical user declarations found in the
src/policy/users
file:
user system_u roles system_r; user user_u roles { user_r }; user root roles { staff_r };
In the Fedora Core 2 implementation of SELinux, the
src/policy/users
file includes
M4 macros that can
differently define the roles associated with the
user_u
and root
users. If the
user_canbe_sysadm
symbol is defined, the
user_u
user is instead defined as:
user user_u roles { user_r sysadm_r system_r };
And, if the
direct_sysadm_daemon
symbol is defined, the
root
user is instead defined as:
user root roles { staff_r system_r };
Both the user_canbe_sysadm
and
direct_sysadm_daemon
symbols are defined in the
tunable.te
file. They can be undefined by
prefixing the appropriate lines with
dnl
, the
M4 comment token.
If your system includes one or more user accounts other than
root
, you should update the
users
file so that it associates each user
account with either the role user_r
(for ordinary
users) or staff_r
(for user who administer the
system). For instance, you might add declarations such as these:
user ordinary roles user_r; user admin roles staff_r;
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.