9.4 Creating an SELinux User By default, only three SELinux users are defined: -
- root
-
Used by the system administrator -
- system_u
-
Used by system processes and objects -
- user_u
-
Used by generic users having no specific SELinux user identity Unless your system has many users, you should generally create a specific SELinux user identity for each human user who will log in and use your SELinux system. To do so, modify the file users in the policy source directory. 9.4.1 Adding a System Administrator It's important to add an SELinux user identity for each user who administers the system; otherwise , the user will be unable to transition to the sysadm_r role. To specify a user as a system administrator, add a declaration having the following form: user wheel roles staff_r sysadm_r; where wheel is the name of the user account. For example, to declare the user bill as an administrative user, add the following declaration: user bill role staff_r sysadm_r; The Fedora Core implementation of SELinux provides a feature that enables a system administrator to launch daemons without using the run_init program. As a result, user declarations under Fedora Core are slightly different, taking the form: user wheel roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; The direct_sysadm_daemon M4 macro, which implements the feature, can be enabled or disabled by tweaking the file tunable.te . The feature is enabled by default. If the feature is enabled, the expanded macro gives the declaration the following form: user wheel roles {staff_r sysadm_r system_r}; which associates the user with the role system_r , as well as the two roles staff_r and sysadm_r . | The convenience provided by the direct_sysadm_daemon macro comes at the price of decreased system security. Unless you highly value the convenience provided by the macro, you should disable it in the same way direct_sysadm_daemon can be disabled. | | 9.4.2 Adding an Ordinary User If the user to be added is not a system administrator, add a declaration having the following form: user pleb roles user_r; where pleb is the name of the user account. For example, to declare the user patrick as an ordinary user, add the following declaration: user patrick role user_r; The Fedora Core implementation of SELinux provides a feature that enables ordinary users to become system administrators. As a result, user declarations under Fedora Core are slightly different, taking the form: user pleb roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') }; The user_canbe_sysadm M4 macro, which implements the feature, can be enabled or disabled by tweaking the file tunable.te . By default, the feature is enabled. If the feature is enabled, the expanded macro gives the declaration the following form: user pleb roles { user_r sysadm_r system_r }; which associates the user with the roles sysadm_r and system_r as well as the role user_r . | Unless you highly value the convenience provided by the user_canbe_sysadm macro, you should disable it, by prefixing the appropriate line in tunable.te with the M4 comment token, dnl . | | |