49.5.2. Comparing SELinux and Standard Linux User Identities
SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
- system_u — System processes
- root — System administrator
- user_u — All login users
Use the
semanage user -l command to list SELinux users:
~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
Refer to Section 49.8.3, “Understanding the Users and Roles in the Targeted Policy” for more information about SELinux users and roles.
SELinux Logins
One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectively use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
Use the
semanage login -a command to assign Linux users to SELinux user identities:
~]#semanage login -a james~]#semanage login -a daniel~]#semanage login -a olga
Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:
~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
james user_u s0
daniel user_u s0
root root s0-s0:c0.c1023
olga user_u s0
Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.
Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.
