Creating an SELinux User
By default, only three SELinux users are defined:
-
root Used by the system administrator
-
system_u Used by system processes and objects
-
user_u Used by generic users having no specific SELinux user identity
Unless your system has many users, you should generally create a
specific SELinux user identity for each human user who will log in
and use your SELinux system. To do so, modify the file
users in the policy source directory.
Adding a System Administrator
It’s important to add an SELinux
user identity for each user who
administers the system; otherwise, the user will be unable to
transition to the
sysadm_r
role. To specify a user as a system administrator, add
a declaration having the following form:
user wheel roles staff_r sysadm_r;where wheel is the name of the user
account. For example, to declare the user bill as
an administrative user, add the following declaration:
user bill role staff_r sysadm_r;
The Fedora Core implementation of SELinux provides a feature that enables a system administrator to launch daemons without using the run_init program. As a result, user declarations under Fedora Core are slightly different, taking the form:
user wheel roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };The
direct_sysadm_daemon
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te. The feature is enabled by default. If the feature is enabled, the expanded macro gives the declaration the following form: ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
