Linux 101 : SELinux users



SELinux users:

SELinux has a number of preset users, a Linux user can be mapped to a SELinux user. We can list the SELinux users using:

SELinux user context:

When we log into a SELinux-enabled machine we are assigned a default context.

A context is a set of values that decides what we are allowed and what we aren't allowed to do on a system. 

A context is usually made up of the below elements:
  • User : is used by SElinux to limit the roles that can be assigned to a user.
  • Role : it decides which types (for files/directories) or domains (for processes) a user can "use".
  • Type : it dictates how an applications can interact with each other , it does the same for files.

We can display our context (labels) using the below command:


unconfined_u : unconfined user.

unconfined_r : unconfined role.

unconfined_t : unconfined type.

"unconfined" is for a user with unrestricted access, typically a root user.

Linux to SELinux users mapping:

To be able to see the existing mappings or Linux users to SELinux users, we use the below command:

Mapping Linux users to SELinux users:

We can map a Linux user to an SELinux user using the below command, it maps the user Albert to the SELinux user user_u.

Modify a mapping to a different SELinux user:


Changes the mapping of the user Albert from user_u to sysadm_u.

user_u : is a generic user.

sysadmin_u : is a generic system administration user.

For the above modification to take effect, we will need to stop all Albert's processes:

Then we need reset the labels of Albert's home directory:

Deleting a mapping:

We can delete a mapping that exists between a Linux user and an SELinux user using the below command (for the user Albert):

We then reset the labels of the home directory:


Comments

Leave as a comment:

Archive