Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 58
Selinux guide
Hide thumbs
Also See for ENTERPRISE LINUX 4 - SELINUX GUIDE:
- Manual (410 pages) ,
- System administration manual (400 pages) ,
- Administration manual (200 pages)
Table of Contents
Advertisement
44
object_r
In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for
subjects. This is because roles are task-oriented and they group together doers, which are sub-
jects. For this reason, all objects universally have the role
as a placeholder in the label.
sysadm_r
This is the system administrator role in a strict policy. In such a policy, switching to the root user
with
gives you the role of
su
default to
staff_r
administration tasks. In the targeted policy, the following retain
unconfined_t
httpd_sys_script_t
httpd_helper_t
ldconfig_t
ndc_t
Similar to the situation for roles, there is effectively only one user identity in the targeted policy. The
identity
was chosen because
user_u
identity. This occurs when there is no matching SELinux user for the Linux user who is logging in.
Using
as the single user in the targeted policy makes it easier to switch to the strict policy.
user_u
The remaining users exist for compatibility with the strict policy.
The one exception is the SELinux user
as
, and you may notice
su
SELinux user
starts daemons from the command line, or restarts a daemon originally started by
root
.
init
Here is a brief look at the
guide, all other content is original source from the
src/policy/users
# Each user has a set of roles that may be entered by
# processes with the users identity.
# declaration is: #
#
user username roles role_set [ ranges MLS_range_set ];
# system_u is the user identity for system processes and
# objects.
There should be no corresponding Unix user
# identity for system_u, and a user process should never be
# assigned the system_u user identity.
user system_u roles system_r;
/*
^- user name
# user_u is a generic user identity for Linux users who have
# no SELinux user identity defined.
# roles in the (targeted) policy.
# compatibility, but could be dropped as long as userspace
# has no hardcoded dependency on it.
# retained due to present userspace hardcoded dependency.
user user_u roles { user_r sysadm_r system_r };
/*
^-user name
2. A user aliasing mechanism would work here, as well, to alias all identities from the strict policy to a single
user identity in the targeted policy.
. However, if you login directly as the root user, you may
sysadm_r
and still need to run
libselinux
. This user identity is picked up by login programs such
root
as the user identity in a process's context. This occurs when the
root
$SELINUX_SRC/users
^- the role user name can have
^-set of roles the user name can have
Chapter 3. Targeted Policy Overview
object_r
newrole -r sysadm_r
falls back to
user_u
2
file. Comments in
file.
users
The syntax of a user
Authorized for all
sysadm_r is retained for
user_u must be
, and the role is only used
before doing many system
for compatibility:
sysadm_r
as the default SELinux user
are annotations from this
/* */
*/
*/
Advertisement
Table of Contents
Related Manuals for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE
Related Products for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.5
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.6
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.7
- Red Hat ENTERPRISE LINUX 4 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 4 - LVM ADMINISTRATOR
- Red Hat ENTERPRISE LINUX 4 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 4 - STEP BY STEP GUIDE
- Red Hat ENTERPRISE LINUX 4.5.0 -
- Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
- Red Hat ENTERPRISE LINUX 3 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 3 - STEP BY STEP GUIDE
- Red Hat ENTERPRISE LINUX 5.1 DM MULTIPATH
- Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE
- Red Hat LINUX 7.1 - ISERIES
- Red Hat Enterprise Linux 2.1
- Red Hat CLUSTER FOR ENTERPRISE LINUX 5.0