User-oriented SELinux contexts

June 01, 2021

Once logged in to a system, our user will run inside a certain context. This user context defines the rights and privileges that we, as a user, have on the system. The command to obtain current user information, id, also supports displaying the current SELinux context information:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On SELinux systems with a targeted policy type, chances are very high that all users are logged in as unconfined_u (the first part of the context). On more restricted systems, the user can be user_u (regular restricted users), staff_u (operators), sysadm_u (system administrators), or any of the other SELinux users.

The SELinux user defines the roles that the user can switch to. SELinux roles themselves define the application domains that the user can use. By default, a fixed number of SELinux users are available on the system, but administrators can create additional SELinux users. It is also the administrator’s task to assign Linux logins to SELinux users.

SELinux roles, on the other hand, cannot be created through administrative commands, as SELinux roles are part of the SELinux policy. For this, the SELinux policy needs to be enhanced with additional rules that create the role. 

To view the currently available roles, use seinfo:

# seinfo --role
Roles: 14
  auditadm_r
  dbadm_r
  ...
  xguest_r

SELinux roles can be coarse-grained (such as sysadm_r) or more functionality-oriented (such as dbadm_r). Custom SELinux roles can even be very fine-grained, only granting the ability to transition into limited domains.

Let’s see how to create and manage SELinux users.

Related Articles

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

9 − four =