Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 774

Chapter 44. Security and SELinux
mailman_cgi_t
mailman_mail_t
mailman_queue_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
pegasus_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
system_mail_t
unconfined_t
winbind_helper_t
winbind_t
ypbind_t
user_r
This is the default user role for regular Linux users. In a strict policy, individual users might be
used, allowing for the users to have special roles to perform privileged operations. In the targeted
policy, all users run in the unconfined_t domain.
object_r
In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for
subjects. This is because roles are task-oriented and they group together entities which perform
actions (for example, processes). All such entities are collectively referred to as subjects. For
this reason, all objects have the role object_r, and the role is only used as a placeholder in the
label.
sysadm_r
This is the system administrator role in a strict policy. If you log in directly as the root user, the
default role may actually be staff_r. If this is true, use the newrole -r sysadm_r command
to change to the SELinux system administrator role to perform system administration tasks. In the
targeted policy, the following retain sysadm_r for compatibility:
sysadm_r (6 types)
httpd_helper_t
httpd_sys_script_t
initrc_t
ldconfig_t
ndc_t
unconfined_t
There is effectively only one user identity in the targeted policy. The user_u identity was chosen
because libselinux falls back to user_u as the default SELinux user identity. This occurs when
there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single
user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for
compatibility with the strict policy.
A user aliasing mechanism would also work here, to alias all identities from the strict policy to a single user identity in the
targeted policy.
748
6