6.4 User Declarations

6.4 User Declarations

User declarations associate roles with SELinux users. A user cannot enter a role unless the role has been associated with the user's current identity.

Figure 6-14 shows the syntax of user declarations.

Figure 6-14. User declaration syntax

Here are typical user declarations found in the src/policy/users file:

 user system_u roles system_r; user user_u   roles { user_r }; user root     roles { staff_r }; 

In the Fedora Core 2 implementation of SELinux, the src/policy/users file includes M4 macros that can differently define the roles associated with the user_u and root users. If the user_canbe_sysadm symbol is defined, the user_u user is instead defined as:

 user user_u   roles { user_r sysadm_r system_r }; 

And, if the direct_sysadm_daemon symbol is defined, the root user is instead defined as:

 user root     roles { staff_r system_r }; 

Both the user_canbe_sysadm and direct_sysadm_daemon symbols are defined in the tunable.te file. They can be undefined by prefixing the appropriate lines with dnl , the M4 comment token.

If your system includes one or more user accounts other than root , you should update the users file so that it associates each user account with either the role user_r (for ordinary users) or staff_r (for user who administer the system). For instance, you might add declarations such as these:

 user ordinary roles user_r; user admin    roles staff_r;