User declarations associate roles with SELinux users. A user cannot enter a role unless the role has been associated with the user’s current identity.

Figure 6-14 shows the syntax of user declarations.

Figure 6-14. User declaration syntax

Here are typical user declarations found in the src/policy/users file:

user system_u roles system_r;
user user_u   roles { user_r };
user root     roles { staff_r };

In the Fedora Core 2 implementation of SELinux, the src/policy/users file includes M4 macros that can differently define the roles associated with the user_u and root users. If the user_canbe_sysadm symbol is defined, the user_u user is instead defined as:

user user_u   roles { user_r sysadm_r system_r };

And, if the direct_sysadm_daemon symbol is defined, the root user is instead defined as:

user root     roles { staff_r system_r };

Both the user_canbe_sysadm and direct_sysadm_daemon symbols are defined in the tunable.te file. They can be undefined by prefixing the appropriate lines with dnl, the M4 comment token.

If your system includes one or more user accounts other than root, you should update the users file so that it associates each user account with either the role user_r (for ordinary users) or staff_r (for user who administer the system). For instance, you might add declarations such as these:

user ordinary roles user_r;
user admin    roles staff_r;