SELinux [Electronic resources] نسخه متنی

9.4 Creating an SELinux User

By default, only three SELinux users
are defined:

root

Used by the system
administrator

system_u

Used by system processes and objects

user_u

Used by generic users having no specific SELinux user identity

Unless your system has many users, you should generally create a
specific SELinux user identity for each human user who will log in
and use your SELinux system. To do so, modify the file
users in the policy source directory.

9.4.1 Adding a System Administrator

It's important to add an SELinux
user identity for each user who
administers the system; otherwise, the user will be unable to
transition to the
sysadm_r

role. To specify a user as a system administrator, add
a declaration having the following form:

user wheel
 roles staff_r sysadm_r;

where wheel
is the name of the user
account. For example, to declare the user bill
as
an administrative user, add the following declaration:

user bill role staff_r sysadm_r;

The Fedora Core implementation of SELinux provides a feature that
enables a system administrator to launch daemons without using the
run_init program. As a result, user declarations
under Fedora Core are slightly different, taking the form:

user wheel
 roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };

The
direct_sysadm_daemon
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te. The
feature is enabled by default. If the feature is enabled, the
expanded macro gives the declaration the following form:

user wheel
 roles {staff_r sysadm_r system_r};

which associates the user with the role system_r
,
as well as the two roles staff_r
and
sysadm_r
.

The convenience provided by the
direct_sysadm_daemon
macro comes at the price of
decreased system security. Unless you highly value the convenience
provided by the macro, you should disable it in the same way
direct_sysadm_daemon
can be disabled.

9.4.2 Adding an Ordinary User

If the user to be added is not a system
administrator, add a declaration having the following form:

user pleb
 roles user_r;

where pleb
is the name of the user
account. For example, to declare the user patrick

as an ordinary user, add the following declaration:

user patrick role user_r;

The Fedora Core implementation of SELinux provides a feature that
enables ordinary users to become system administrators. As a result,
user declarations under Fedora Core are slightly different, taking
the form:

user pleb
 roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') };

The
user_canbe_sysadm
M4 macro, which implements the feature,
can be enabled or disabled by tweaking the file
tunable.te. By default, the feature is enabled. If
the feature is enabled, the expanded macro gives the declaration the
following form:

user pleb
 roles { user_r sysadm_r system_r };

which associates the user with the roles sysadm_r

and system_r
as well as the
role user_r
.

Unless you highly value the convenience provided by the
user_canbe_sysadm
macro, you should disable it, by
prefixing the appropriate line in tunable.te
with the M4 comment token, dnl
.