Customizing Roles
The SELinux RBAC associates roles with users and domains. A given user is authorized only for specific roles, and a given role is authorized only for specific domains. Thus, a user cannot enter a domain unless the user is associated with a role authorized for the domain.
By default, the SELinux policy defines four roles:
-
staff_r
Used by users authorized to transition to the
sysadm_r
role-
sysadm_r
Used by the system administrator
-
system_r
Used by system processes and objects
-
user_r
Used by ordinary users, who are not authorized to transition to the
sysadm_r
role
Tip
The fact that many system processes and objects share the
system_r
role does not mean that SELinux violates
the principle of least privilege. Processes and objects generally
have discrete types that determine the operations that they can
perform and that can be performed on them. As commonly used, roles
don’t authorize operations; instead they limit the
types available to a process or object.
These roles are defined, and associated with users, by the
user
declarations appearing in the
users
file.
The Fedora Core SELinux policy defines two additional roles:
-
cyrus_r
Used by the Cyrus IMAP daemon
-
mailman_r
Used by the GNU mailing list manager application, Mailman
A role is defined by a role
declaration that associates it with a domain. If multiple declarations associate a single role with multiple domains, the role is authorized to enter each of the domains specified. By convention, role declarations ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.