Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 6. Confining Users
In Red Hat Enterprise Linux, users are mapped to the SELinux
For example, processes run by the SELinux
unconfined_u user by default. All processes run by unconfined_u are in the unconfined_t domain. This means that users can access across the system within the limits of the standard Linux DAC policy. However, a number of confined SELinux users are available in Red Hat Enterprise Linux. This means that users can be restricted to limited set of capabilities. Each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to:
- run the X Window System
- use networking
- run setuid applications (unless SELinux policy permits it)
- or run the
suandsudocommands.
user_u user are in the user_t domain. Such processes can connect to network, but cannot run the su or sudo commands. This helps protect the system from the user. See Section 3.3, “Confined and Unconfined Users”, Table 3.1, “SELinux User Capabilities” for further information about confined users and their capabilities.
6.1. Linux and SELinux User Mappings
As root, enter the following command to view the mapping between Linux users and SELinux users:
~]#semanage login -lLogin Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
In Red Hat Enterprise Linux, Linux users are mapped to the SELinux
__default__ login by default (which is in turn mapped to the SELinux unconfined_u user). When a Linux user is created with the useradd command, if no options are specified, they are mapped to the SELinux unconfined_u user. The following defines the default-mapping:
__default__ unconfined_u s0-s0:c0.c1023 *
