9.5 Customizing Roles

The SELinux RBAC associates roles with users and domains. A given user is authorized only for specific roles, and a given role is authorized only for specific domains. Thus, a user cannot enter a domain unless the user is associated with a role authorized for the domain.

By default, the SELinux policy defines four roles:

staff_r

Used by users authorized to transition to the sysadm_r role

sysadm_r

Used by the system administrator

system_r

Used by system processes and objects

user_r

Used by ordinary users, who are not authorized to transition to the sysadm_r role

The fact that many system processes and objects share the system_r role does not mean that SELinux violates the principle of least privilege. Processes and objects generally have discrete types that determine the operations that they can perform and that can be performed on them. As commonly used, roles don't authorize operations; instead they limit the types available to a process or object.

These roles are defined, and associated with users, by the user declarations appearing in the users file.

The Fedora Core SELinux policy defines two additional roles:

cyrus_r

Used by the Cyrus IMAP daemon

mailman_r

Used by the GNU mailing list manager application, Mailman

A role is defined by a role declaration that associates it with a domain. If multiple declarations associate a single role with multiple domains, the role is authorized to enter each of the domains specified. By convention, role declarations are not centralized in a single file; instead, the role declarations for a given domain generally appear in the TE file associated with the domain.

It's generally not necessary to create a new SELinux role. However, it's often necessary to authorize one of the predefined roles to enter a particular domain, particularly a customized domain. To do so, add a role declaration to the TE file associated with the domain. The declaration should have the form:

 role   role_name   types   domain_name   ; 

where role_name is the name of the role, and domain_name is the name of the domain the role is to be authorized to enter. As explained, you can specify any number of role declarations for a given role.