There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. The policy is authorised for a specific set of roles and for a specific MLS (Multi-Level Security) range. Each Linux user is mapped to an SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users.
To define what roles and levels they can enter, the mapped SELinux user identity is used in the SELinux context for processes in that session. You can view a list of mappings between SELinux and Linux user accounts from the command line:
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
Role is an attribute of the Role-Based Access Control (RBAC) security model. The role serves as an intermediary between domains and SELinux users. SELinux users are authorized for roles, roles are authorized for domains, and processes run in their own separate domains. The roles determine which domains you can enter, and ultimately, which files you can access.
Type is an attribute of Type Enforcement (TE). The type defines a type for files, and defines a domain for processes. Processes are separated from each other by running in their own domains. This separation prevents processes from accessing files used by other processes, as well as preventing processes from accessing other processes. SELinux policy rules define how types can access each other, whether it is a domain accessing a type, or a domain accessing another domain.
Level is an attribute of MLS and MCS. An MLS range is a pair of levels, written as lowlevel- highlevel if the levels differ, or lowlevel if the levels are identical (s0-s0 is the same as s0). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity.
If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file is the Multi-Category Security translation table for SELinux and maps levels to human-readable form such as s0:c0.c1023=SystemHigh. Do not edit this file with a text editor; use the semanage command to make changes.
Use the chcon command to change the SELinux context for files. Changes made with the chcon command do not survive a file system relabel or the execution of the restorecon command. When using chcon, provide all or part of the SELinux context to change.
Confined SELinux Users
Linux users are mapped to the SELinux _default_ login by default, which is mapped to the SELinux unconfined_u user. However, SELinux can confine Linux users, to take advantage of the security rules and mechanisms applied to them, by mapping Linux users to SELinux users.
A number of confined SELinux users exist in SELinux policy. The following is a list of confined SELinux users and their associated domains:
- guest_u: The domain for the user is guest_t.
- staff_u: The domain for the user is staff_t.
- user_u: The domain for the user is user_t.
- xguest_x: The domain for the user is xguest_t.
– Linux users in the guest_t, xguest_t, and user_t domains can run set user ID (setuid) applications only if the SELinux policy permits it (such as passwd). They cannot run the su and sudo setuid applications to become the root user.
– Linux users in the guest_t domain have no network access and can log in only from a terminal. They can log in with ssh but cannot use ssh to connect to another system. The only network access Linux users in the xguest_t domain have is Firefox for connecting to webpages.
– Linux users in the xguest_t, user_t, and staff_t domains can log in using the X Window System and a terminal.
– By default, Linux users in the staff_t domain do not have permissions to execute applications with the sudo command.
– By default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or /tmp, preventing them from executing applications in directories they have write access to. This helps prevent flawed or malicious applications from modifying files that users own.
– By default, Linux users in the user_t and staff_t domains can execute applications in their home directories and /tmp.
Mapping Linux Users to SELinux Users
Use the “semanage login –a” command to map a Linux user to an SELinux user. For example, to map the Linux user john to the SELinux user_u user, run the following command:
# semanage login -a -s user_u john
The -a option adds a new record and the -s option specifies the SELinux user. The last argument, newuser, is the Linux user that you want mapped to the specified SELinux user.
Booleans for Users Executing Applications
Some Booleans are available to change user behavior when running applications in their home directories and in /tmp. Use the “setsebool –P [boolean] on|off” command:
1. To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp:
# setsebool -P guest_exec_content on
2. To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp:
# setsebool -P xguest_exec_content on
3. To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp:
# setsebool -P user_exec_content off
4. To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp:
# setsebool -P staff_exec_content off