SELinux [Electronic resources] نسخه متنی

6.4 User Declarations

User declarations associate roles with SELinux users. A user
cannot enter a role unless the role has been associated with the
user's current identity.

Figure 6-14 shows the syntax of user declarations.

Figure 6-14. User declaration syntax

Here are typical user declarations found in the
src/policy/users file:

user system_u roles system_r;
user user_u   roles { user_r };
user root     roles { staff_r };

In the Fedora Core 2 implementation of SELinux, the
src/policy/users file includes
M4 macros that can
differently define the roles associated with the
user_u
and root
users. If the
user_canbe_sysadm
symbol is defined, the
user_u
user is instead defined as:

user user_u   roles { user_r sysadm_r system_r };

And, if the
direct_sysadm_daemon
symbol is defined, the
root
user is instead defined as:

user root     roles { staff_r system_r };

Both the user_canbe_sysadm
and
direct_sysadm_daemon
symbols are defined in the
tunable.te file. They can be undefined by
prefixing the appropriate lines with
dnl
, the
M4 comment token.

If your system includes one or more user accounts other than
root
, you should update the
users file so that it associates each user
account with either the role user_r
(for ordinary
users) or staff_r
(for user who administer the
system). For instance, you might add declarations such as these:

user ordinary roles user_r;
user admin    roles staff_r;