The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
As described in Section 3.7.5, “About SELinux Context”, each SELinux user account compliments a regular Oracle Linux user account. SELinux maps every Oracle Linux user to an SELinux user identity that is used in the SELinux context for the processes in a user session.
SELinux users form part of a SELinux policy that is authorized for a specific set of roles and for a specific MLS (Multi-Level Security) range, and each Oracle Linux user is mapped to an SELinux user as part of the policy. As a result, Linux users inherit the restrictions and security rules and mechanisms placed on SELinux users. To define the roles and levels of users, the mapped SELinux user identity is used in the SELinux context for processes in a session. You can display user mapping in the User Mapping view of the SELinux Administration GUI. You can also view the mapping between SELinux and Oracle Linux user accounts from the command line:
# semanage login –l
Login Name SELinux User MLS/MCS Range
_default_ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
The MLS/MCS Range column displays the level used by MLS and MCS.
By default, Oracle Linux users are mapped to the SELinux user
unconfined_u
.
You can configure SELinux to confine Oracle Linux users by mapping them to SELinux users in confined domains, which have predefined security rules and mechanisms as listed in the following table.
SELinux User | SELinux Domain | Permit Running su? | Permit Network Access? | Permit Logging in Using X Window System? |
Permit Executing Applications in
|
---|---|---|---|---|---|
|
| No | No | No | No |
|
| Yes | Yes | Yes | Yes |
|
| No | Yes | Yes | Yes |
|
| No | Firefox only | Yes | No |