Linux 101 : SELinux users
SELinux has a number of preset users, a Linux user can be mapped to a SELinux user. We can list the SELinux users using:
SELinux user context:
When we log into a SELinux-enabled machine we are assigned a default context.
A context is a set of values that decides what we are allowed and what we aren't allowed to do on a system.A context is usually made up of the below elements:
- User : is used by SElinux to limit the roles that can be assigned to a user.
- Role : it decides which types (for files/directories) or domains (for processes) a user can "use".
- Type : it dictates how an applications can interact with each other , it does the same for files.
We can display our context (labels) using the below command:
unconfined_u : unconfined user.
unconfined_r : unconfined role.
unconfined_t : unconfined type.
"unconfined" is for a user with unrestricted access, typically a root user.
Linux to SELinux users mapping:To be able to see the existing mappings or Linux users to SELinux users, we use the below command:
Mapping Linux users to SELinux users:
We can map a Linux user to an SELinux user using the below command, it maps the user Albert to the SELinux user user_u.
Modify a mapping to a different SELinux user:
user_u : is a generic user.
sysadmin_u : is a generic system administration user.
For the above modification to take effect, we will need to stop all Albert's processes:
Then we need reset the labels of Albert's home directory:
Deleting a mapping:
We can delete a mapping that exists between a Linux user and an SELinux user using the below command (for the user Albert):
We then reset the labels of the home directory: