$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
On SELinux systems with a targeted policy type, chances are very high that all users are logged in as
unconfined_u (the first part of the context). On more restricted systems, the user can be
user_u (regular restricted users),
sysadm_u (system administrators), or any of the other SELinux users.
The SELinux user defines the roles that the user can switch to. SELinux roles themselves define the application domains that the user can use. By default, a fixed number of SELinux users are available on the system, but administrators can create additional SELinux users. It is also the administrator’s task to assign Linux logins to SELinux users.
SELinux roles, on the other hand, cannot be created through administrative commands, as SELinux roles are part of the SELinux policy. For this, the SELinux policy needs to be enhanced with additional rules that create the role.
To view the currently available roles, use
# seinfo --role Roles: 14 auditadm_r dbadm_r ... xguest_r
SELinux roles can be coarse-grained (such as
sysadm_r) or more functionality-oriented (such as
dbadm_r). Custom SELinux roles can even be very fine-grained, only granting the ability to transition into limited domains.
Let’s see how to create and manage SELinux users.