Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

49.5.2. Comparing SELinux and Standard Linux User Identities

SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
  • system_u — System processes
  • root — System administrator
  • user_u — All login users
Use the semanage user -l command to list SELinux users:
~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range            SELinux Roles

root            user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r
system_u        user       s0         s0-s0:c0.c1023       system_r
user_u          user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r
Refer to Section 49.8.3, “Understanding the Users and Roles in the Targeted Policy” for more information about SELinux users and roles.
SELinux Logins

One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectively use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.

Use the semanage login -a command to assign Linux users to SELinux user identities:
~]# semanage login -a james
~]# semanage login -a daniel
~]# semanage login -a olga
Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:
~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    s0
james                     user_u                    s0
daniel                    user_u                    s0
root                      root                      s0-s0:c0.c1023
olga                      user_u                    s0
Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.
Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.