9.4 Creating an SELinux User

     

9.4 Creating an SELinux User

By default, only three SELinux users are defined:


root

Used by the system administrator


system_u

Used by system processes and objects


user_u

Used by generic users having no specific SELinux user identity

Unless your system has many users, you should generally create a specific SELinux user identity for each human user who will log in and use your SELinux system. To do so, modify the file users in the policy source directory.

9.4.1 Adding a System Administrator

It's important to add an SELinux user identity for each user who administers the system; otherwise , the user will be unable to transition to the sysadm_r role. To specify a user as a system administrator, add a declaration having the following form:

 user   wheel   roles staff_r sysadm_r; 

where wheel is the name of the user account. For example, to declare the user bill as an administrative user, add the following declaration:

 user bill role staff_r sysadm_r; 

The Fedora Core implementation of SELinux provides a feature that enables a system administrator to launch daemons without using the run_init program. As a result, user declarations under Fedora Core are slightly different, taking the form:

 user   wheel   roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; 

The direct_sysadm_daemon M4 macro, which implements the feature, can be enabled or disabled by tweaking the file tunable.te . The feature is enabled by default. If the feature is enabled, the expanded macro gives the declaration the following form:

 user   wheel   roles {staff_r sysadm_r system_r}; 

which associates the user with the role system_r , as well as the two roles staff_r and sysadm_r .

The convenience provided by the direct_sysadm_daemon macro comes at the price of decreased system security. Unless you highly value the convenience provided by the macro, you should disable it in the same way direct_sysadm_daemon can be disabled.


9.4.2 Adding an Ordinary User

If the user to be added is not a system administrator, add a declaration having the following form:

 user   pleb   roles user_r; 

where pleb is the name of the user account. For example, to declare the user patrick as an ordinary user, add the following declaration:

 user patrick role user_r; 

The Fedora Core implementation of SELinux provides a feature that enables ordinary users to become system administrators. As a result, user declarations under Fedora Core are slightly different, taking the form:

 user   pleb   roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r system_r') }; 

The user_canbe_sysadm M4 macro, which implements the feature, can be enabled or disabled by tweaking the file tunable.te . By default, the feature is enabled. If the feature is enabled, the expanded macro gives the declaration the following form:

 user   pleb   roles { user_r sysadm_r system_r }; 

which associates the user with the roles sysadm_r and system_r as well as the role user_r .

Unless you highly value the convenience provided by the user_canbe_sysadm macro, you should disable it, by prefixing the appropriate line in tunable.te with the M4 comment token, dnl .




SELinux. NSA's Open Source Security Enhanced Linux
Selinux: NSAs Open Source Security Enhanced Linux
ISBN: 0596007167
EAN: 2147483647
Year: 2003
Pages: 100
Authors: Bill McCarty

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net