Customizing Roles
The SELinux RBAC associates roles with users and domains. A given user is authorized only for specific roles, and a given role is authorized only for specific domains. Thus, a user cannot enter a domain unless the user is associated with a role authorized for the domain.
By default, the SELinux policy defines four roles:
-
staff_r Used by users authorized to transition to the
sysadm_rrole-
sysadm_r Used by the system administrator
-
system_r Used by system processes and objects
-
user_r Used by ordinary users, who are not authorized to transition to the
sysadm_rrole
Tip
The fact that many system processes and objects share the
system_r role does not mean that SELinux violates
the principle of least privilege. Processes and objects generally
have discrete types that determine the operations that they can
perform and that can be performed on them. As commonly used, roles
don’t authorize operations; instead they limit the
types available to a process or object.
These roles are defined, and associated with users, by the
user declarations appearing in the
users
file.
The Fedora Core SELinux policy defines two additional roles:
-
cyrus_r Used by the Cyrus IMAP daemon
-
mailman_r Used by the GNU mailing list manager application, Mailman
A role is defined by a role declaration that associates it with a domain. If multiple declarations associate a single role with multiple domains, the role is authorized to enter each of the domains specified. By convention, role declarations ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
