25.2.6 About SELinux Users

As described in Section 25.2.5, “About SELinux Context”, each SELinux user account compliments a regular Oracle Linux user account. SELinux maps every Oracle Linux user to an SELinux user identity that is used in the SELinux context for the processes in a user session.

SELinux users form part of a SELinux policy that is authorized for a specific set of roles and for a specific MLS (Multi-Level Security) range, and each Oracle Linux user is mapped to an SELinux user as part of the policy. As a result, Linux users inherit the restrictions and security rules and mechanisms placed on SELinux users. To define the roles and levels of users, the mapped SELinux user identity is used in the SELinux context for processes in a session. You can display user mapping in the User Mapping view of the SELinux Administration GUI. You can also view the mapping between SELinux and Oracle Linux user accounts from the command line:

# semanage login -l
Login Name   SELinux User     MLS/MCS Range
_default_    unconfined_u     s0-s0:c0.c1023
root         unconfined_u     s0-s0:c0.c1023
system_u     system_u         s0-s0:c0.c1023

The MLS/MCS Range column displays the level used by MLS and MCS.

By default, Oracle Linux users are mapped to the SELinux user unconfined_u.

You can configure SELinux to confine Oracle Linux users by mapping them to SELinux users in confined domains, which have predefined security rules and mechanisms as listed in the following table.

SELinux User

SELinux Domain

Permit Running su?

Permit Network Access?

Permit Logging in Using X Window System?

Permit Executing Applications in $HOME and /tmp?

guest_u

guest_t

No

No

No

No

staff_u

staff_t

Yes

Yes

Yes

Yes

user_u

user_t

No

Yes

Yes

Yes

xguest_x

xguest_t

No

Firefox only

Yes

No