Administering SELinux Users
Provides guidance on mapping Oracle Linux accounts to SELinux users and managing confined user roles, levels, and execution controls.
As described in Administering SELinux Security Context, each SELinux user account complements a regular Oracle Linux user account. SELinux maps every Oracle Linux user to an SELinux user identity that's used in the SELinux context for the processes in a user session.
SELinux users form part of a SELinux policy that's authorized for a specific set of roles and for a specific MLS (Multi-Level Security) range, and each Oracle Linux user is mapped to an SELinux user as part of the policy. Therefore, Linux users inherit the restrictions and security rules and mechanisms placed on SELinux users. To define the roles and levels of users, the mapped SELinux user identity is used in the SELinux context for processes in a session.
By default, users are mapped to the unconfined_u SELinux user when they're
created. With that setting, SELinux functions in a nonrestrictive capacity. To improve system
security, you can change the default user mapping and start applying different user mappings
for different user requirements on the system.
Understanding Confined SELinux Users
SELinux includes several confined users that are restricted to different security domains and include predefined security rules that control what users can do. SELinux policies include rules that apply to the different roles that a user can belong to, and these are used to enforce what operations are allowed for each SELinux user.
By convention, SELinux users have the suffix _u, such as
user_u.
Oracle Linux includes several predefined SELinux users that you can use to restrict system access immediately:
-
unconfined_u - A largely unrestricted SELinux user often set as the default SELinux user mapping for less restrictive environments. In a hardened environment, no system user accounts must map to this user.
-
root - The SELinux user meant for the root account.
-
sysadm_u - The SELinux user with direct system administrative role assigned. This user isn't intended to run nonadministrative commands.
-
staff_u - The SELinux user for users that need to run both nonadministrative commands (through the
staff_rrole) and administrative commands (through thesysadm_rrole). -
user_u - The SELinux user for nonprivileged accounts that don't need to run any administrative commands.
-
system_u - The SELinux user for system services. Do not map real user accounts to
system_u; reserve it for service domains managed by policy. -
xguest_u - The SELinux user for guest access to a system and provisioned with limited access.
Users are confined to their SELinux domains, and policies control the types of things that they can do on the system. The following table illustrates how certain predefined security rules work for different users.
|
SELinux User |
SELinux Domain |
Can run su or sudo? |
Allows network access? |
Allows X Window System login? |
Allows execution in |
|---|---|---|---|---|---|
|
|
|
No |
No |
No |
No |
|
|
|
Yes (via sudo) |
Yes |
Yes |
No (enable |
|
|
|
No (service context) |
Policy-defined |
No |
No |
|
|
|
No |
Yes |
Yes |
No (enable |
|
|
|
No |
Firefox only |
Yes |
No |
SELinux users are distinct and managed separately from standard Oracle Linux system users within SELinux. You can map Oracle Linux system user accounts to different SELinux users to apply a more restrictive security policy framework to any of the system user accounts.
Mapping Oracle Linux Users to SELinux Confined Users
By default, users are mapped to the unconfined_u SELinux user when they're
created. Users can check their security context by running:
id -ZThe output is similar to the following:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023A system administrator can map an Oracle Linux user to an SELinux
confined user to apply different levels of access. For example, to map the
oracle user to the SELinux user_u user, use the
semanage command:
sudo semanage login -a -s user_u oracleWhen you create a user, you can specify the SELinux user mapping when you run the
useradd command. For example, to add a privileged
oracleadmin user that maps to the SELinux staff_u
user, run:
sudo useradd -Z staff_u oracleadminSetting the Default User Mapping
This task shows how to change the default user mapping from unconfined_u to another SELinux user.
On most newly installed systems, the default user mapping is set to the
unconfined_u SELinux user to provide a less restrictive environment for
general use. In some environments where strict policy enforcement is required, such as when
conforming to a Security Technical Implementation Guide (STIG), you might need to map all
Oracle Linux user accounts to appropriate confined SELinux users so that a system is better
protected by the SELinux policy rules that you're enforcing.
Note that the unconfined security context continues to apply to users after this change until the user session or the process is restarted under the new context. To enforce this change at a system-wide level, reboot the system.
Configuring the Behavior of Application Execution for Users
To help prevent flawed or malicious applications from changing a user's files, you can use
Boolean values to specify whether users can run applications in directories in which they have
write access, such as the user's home directory hierarchy and /tmp.
The following settings let Oracle Linux users in the
guest_t and xguest_t domains run applications in
directories they can write to:
sudo setsebool -P allow_guest_exec_content on
sudo setsebool -P allow_xguest_exec_content onThe following settings prevent users in the staff_t and
user_t domains from running applications in directories they can write to:
sudo setsebool -P allow_staff_exec_content off
sudo setsebool -P allow_user_exec_content offFor more information, see Customizing SELinux Policies.