红帽全球峰会此内容没有您所选择的语言版本。
6.2. Confining New Linux Users: useradd
Linux users mapped to the SELinux
unconfined_u user run in the unconfined_t domain. This is seen by running the id -Z command while logged-in as a Linux user mapped to unconfined_u:
id -Z
~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
When Linux users run in the
unconfined_t domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the unconfined_t domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the unconfined_t domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy.
Note
This does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
When creating Linux users with the
useradd command, use the -Z option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux user_u user. Linux users mapped to the SELinux user_u user run in the user_t domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as passwd), and cannot run the su or sudo command, preventing them from becoming the Linux root user with these commands.
- As the Linux root user, run the
useradd -Z user_u useruusercommand to create a new Linux user (useruuser) that is mapped to the SELinuxuser_uuser. - As the Linux root user, run the
semanage login -lcommand to view the mapping between the Linuxuseruuseruser anduser_u:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As the Linux root user, run the
passwd useruusercommand to assign a password to the Linuxuseruuseruser:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Log out of your current session, and log in as the Linux
useruuseruser. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case,user_u), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run theid -Zcommand to view the context of a Linux user:id -Z
~]$ id -Z user_u:user_r:user_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Log out of the Linux
useruuser's session, and log back in with your account. If you do not want the Linuxuseruuseruser, run theuserdel -r useruusercommand as the Linux root user to remove it, along with its home directory.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}