6.4 User Declarations User declarations associate roles with SELinux users. A user cannot enter a role unless the role has been associated with the user's current identity. Figure 6-14 shows the syntax of user declarations. Figure 6-14. User declaration syntax Here are typical user declarations found in the src/policy/users file: user system_u roles system_r; user user_u roles { user_r }; user root roles { staff_r }; In the Fedora Core 2 implementation of SELinux, the src/policy/users file includes M4 macros that can differently define the roles associated with the user_u and root users. If the user_canbe_sysadm symbol is defined, the user_u user is instead defined as: user user_u roles { user_r sysadm_r system_r }; And, if the direct_sysadm_daemon symbol is defined, the root user is instead defined as: user root roles { staff_r system_r }; Both the user_canbe_sysadm and direct_sysadm_daemon symbols are defined in the tunable.te file. They can be undefined by prefixing the appropriate lines with dnl , the M4 comment token. If your system includes one or more user accounts other than root , you should update the users file so that it associates each user account with either the role user_r (for ordinary users) or staff_r (for user who administer the system). For instance, you might add declarations such as these: user ordinary roles user_r; user admin roles staff_r; |