Red Hat Summit3.2. Roles and access rights of SELinux users
The SELinux policy maps each Linux user to an SELinux user. This allows Linux users to inherit the restrictions of SELinux users.
You can customize the permissions for confined users in your SELinux policy according to specific needs by adjusting booleans in the policy. You can determine the current state of these booleans by using the semanage boolean -l command. To list all SELinux users, their SELinux roles, and levels and ranges for MLS and MCS, use the semanage user -l command as root.
| User | Default role | Additional roles |
|---|---|---|
|
|
|
|
|
|
| |
|
|
| |
|
|
| |
|
|
|
|
|
| ||
|
| ||
|
|
| |
|
|
|
|
|
| ||
|
| ||
|
|
|
Note that system_u is a special user identity for system processes and objects, and system_r is the associated role. Administrators must never associate this system_u user and the system_r role to a Linux user. Also, unconfined_u and root are unconfined users. For these reasons, the roles associated to these SELinux users are not included in the following table Types and access rights of SELinux roles.
Each SELinux role corresponds to an SELinux type and provides specific access rights.
| Role | Type | Log in using X Window System | su and sudo | Execute in home directory and /tmp (default) | Networking |
|---|---|---|---|---|---|
|
|
| yes | yes | yes | yes |
|
|
| no | no | yes | no |
|
|
| yes | no | yes | web browsers only (Mozilla Firefox, GNOME Web) |
|
|
| yes | no | yes | yes |
|
|
| yes |
only | yes | yes |
|
|
| yes | yes | yes | |
|
|
| yes | yes | yes | |
|
|
| yes | yes | yes | |
|
|
| yes | yes | yes | |
|
|
| yes | yes | yes | |
|
|
|
only when the | yes | yes | yes |
For more detailed descriptions of the non-administrator roles, see Confined non-administrator roles in SELinux.
For more detailed descriptions of the administrator roles, see Confined administrator roles in SELinux.
To list all available roles, enter the seinfo -r command:
$ seinfo -r
Roles: 14
auditadm_r
dbadm_r
guest_r
logadm_r
nx_server_r
object_r
secadm_r
staff_r
sysadm_r
system_r
unconfined_r
user_r
webadm_r
xguest_r
Note that the seinfo command is provided by the setools-console package, which is not installed by default.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}