Creating an SELinux User
By default, only three SELinux users are defined:
-
root
Used by the system administrator
-
system_u
Used by system processes and objects
-
user_u
Used by generic users having no specific SELinux user identity
Unless your system has many users, you should generally create a
specific SELinux user identity for each human user who will log in
and use your SELinux system. To do so, modify the file
users
in the policy source directory.
Adding a System Administrator
It’s important to add an SELinux
user identity for each user who
administers the system; otherwise, the user will be unable to
transition to the
sysadm_r
role. To specify a user as a system administrator, add
a declaration having the following form:
user wheel
roles staff_r sysadm_r;
where wheel
is the name of the user
account. For example, to declare the user bill
as
an administrative user, add the following declaration:
user bill role staff_r sysadm_r;
The Fedora Core implementation of SELinux provides a feature that enables a system administrator to launch daemons without using the run_init program. As a result, user declarations under Fedora Core are slightly different, taking the form:
user wheel
roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
The
direct_sysadm_daemon
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te
. The feature is enabled by default. If the feature is enabled, the expanded macro gives the declaration the following form: ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.