Chapter 6. Confining Users
A number of confined SELinux users are available in Red Hat Enterprise Linux 6. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the
su
and sudo
commands. This helps protect the system from the user. Refer to Section 4.3, “Confined and Unconfined Users” for further information about confined users.
6.1. Linux and SELinux User Mappings
As the Linux root user, run the
semanage login -l
command to view the mapping between Linux users and SELinux users:
~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
In Red Hat Enterprise Linux 6, Linux users are mapped to the SELinux
__default__
login by default (which is in turn mapped to the SELinux unconfined_u
user). When a Linux user is created with the useradd
command, if no options are specified, they are mapped to the SELinux unconfined_u
user. The following defines the default-mapping:
__default__ unconfined_u s0-s0:c0.c1023