9.4 Creating an SELinux User
By default, only three SELinux users
are defined:root
Used by the system
administrator
system_u
Used by system processes and objects
user_u
Used by generic users having no specific SELinux user identity
Unless your system has many users, you should generally create a
specific SELinux user identity for each human user who will log in
and use your SELinux system. To do so, modify the file
users in the policy source directory.
9.4.1 Adding a System Administrator
It's important to add an SELinux
user identity for each user who
administers the system; otherwise, the user will be unable to
transition to the
sysadm_r
role. To specify a user as a system administrator, add
a declaration having the following form:
user wheelwhere wheel
roles staff_r sysadm_r;
is the name of the user
account. For example, to declare the user bill
as
an administrative user, add the following declaration:
user bill role staff_r sysadm_r;The Fedora Core implementation of SELinux provides a feature that
enables a system administrator to launch daemons without using the
run_init program. As a result, user declarations
under Fedora Core are slightly different, taking the form:
user wheelThe
roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
direct_sysadm_daemon
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te. The
feature is enabled by default. If the feature is enabled, the
expanded macro gives the declaration the following form:
user wheelwhich associates the user with the role system_r
roles {staff_r sysadm_r system_r};
,
as well as the two roles staff_r
and
sysadm_r
.

The convenience provided by the
direct_sysadm_daemon
macro comes at the price of
decreased system security. Unless you highly value the convenience
provided by the macro, you should disable it in the same way
direct_sysadm_daemon
can be disabled.
9.4.2 Adding an Ordinary User
If the user to be added is not a system
administrator, add a declaration having the following form:
user plebwhere pleb
roles user_r;
is the name of the user
account. For example, to declare the user patrick
as an ordinary user, add the following declaration:
user patrick role user_r;The Fedora Core implementation of SELinux provides a feature that
enables ordinary users to become system administrators. As a result,
user declarations under Fedora Core are slightly different, taking
the form:
user plebThe
roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') };
user_canbe_sysadm
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te. By default, the feature is enabled. If
the feature is enabled, the expanded macro gives the declaration the
following form:
user plebwhich associates the user with the roles sysadm_r
roles { user_r sysadm_r system_r };
and system_r
as well as the
role user_r
.

Unless you highly value the convenience provided by the
user_canbe_sysadm
macro, you should disable it, by
prefixing the appropriate line in tunable.te
with the M4 comment token, dnl
.