1. Administering SELinux
  2. Administering SELinux Users

4 Administering SELinux Users

As described in Administering SELinux Security Context, each SELinux user account compliments a regular Oracle Linux user account. SELinux maps every Oracle Linux user to an SELinux user identity that's used in the SELinux context for the processes in a user session.

SELinux users form part of a SELinux policy that's authorized for a specific set of roles and for a specific MLS (Multi-Level Security) range, and each Oracle Linux user is mapped to an SELinux user as part of the policy. As a result, Linux users inherit the restrictions and security rules and mechanisms placed on SELinux users. To define the roles and levels of users, the mapped SELinux user identity is used in the SELinux context for processes in a session.

By default, users are mapped to the unconfined_u SELinux user when they're created, unless otherwise specified. With that setting, SELinux functions in a nonrestrictive capacity. To improve system security, you can change the default user mapping and start applying different user mappings for different user requirements on the system.

Understanding Confined SELinux Users

SELinux includes several confined users that are restricted to different security domains and that have predefined security rules and mechanisms to control what a user is allowed to do. SELinux policies include rules that apply to the different roles that a user can belong to, and these are used to enforce what operations are allowed to for each SELinux user.

By convention, SELinux users have the suffix _u, such as user_u.

Oracle Linux includes several SELinux users that are already set up through which you can restrict system access immediately:

unconfined_u
A largely unrestricted SELinux user often set as the default SELinux user mapping for system user accounts on new systems in a less restrictive environment. In a hardened environment, no system user accounts must map to this user.
root
The SELinux user meant for the root account.
sysadm_u
The SELinux user with direct system administrative role assigned. This user isn't intended to run nonadministrative commands.
staff_u
The SELinux user for users that need to run both nonadministrative commands (through the staff_r role) and administrative commands (through the sysadm_r role).
user_u
The SELinux user for nonprivileged accounts that don't need to run any administrative commands.
system_u
The SELinux user for system services.
xguest_u
The SELinux user for guest access to a system and provisioned with limited access.

Users are confined to their SELinux domains, and policies control the types of things that they can do on the system. The following table illustrates how certain predefined security rules work for different users.

SELinux User SELinux Domain Permit Running su and sudo? Permit Network Access? Permit Logging in Using X Window System? Permit Executing Applications in $HOME and /tmp?

guest_u

guest_t

No

Yes

No

No

staff_u

staff_t

sudo

Yes

Yes

Yes

system_u

ssystem_t

Yes

Yes

Yes

Yes

user_u

user_t

No

Yes

Yes

Yes

xguest_x

xguest_t

No

Firefox only

Yes

No

SELinux users are distinct and managed separately from standard Oracle Linux system users within SELinux. You can map Oracle Linux system user accounts to different SELinux users to apply a more restrictive security policy framework to any of the system user accounts.

Mapping Oracle Linux Users to SELinux Confined Users

By default, users are mapped to the unconfined_u SELinux user when they're created, unless otherwise specified. Users can check their security context by running: 

id -Z

Output might be similar to the following example:

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

A system administrator can map an Oracle Linux user to an SELinux confined user to apply different levels of access. For example, to map the oracle user to the SELinux user_u user, use the semanage command: 

sudo semanage login -a -s user_u oracle

When you create a user, you can specify the SELinux user mapping when you run the useradd command. For example, to add a privileged oracleadmin user that maps onto the SELinux staff_u user, run: 

sudo useradd -Z staff_u oracleadmin

Setting the Default User Mapping

On most newly installed systems, the default user mapping is set to the unconfined_u SELinux user to provide a less restrictive environment for general use. In some environments where strict policy enforcement is required, such as when conforming to a Security Technical Implementation Guide (STIG), you might need to map all Oracle Linux user accounts to appropriate confined SELinux users so that a system is better protected by the SELinux policy rules that you're enforcing.

  1. To change the default user mapping so that any user accounts that don't have explicit SELinux user mappings are confined to the SELinux user_u user, run: 

    sudo semanage login -m -s user_u -r s0 __default__
  2. Verify that the __default__ user mapping is no longer set to the unconfined_u SELinux user by running:
    semanage login -l

Note that the unconfined security context continues to apply to users after this change until the user session or the process is restarted under the new context. To enforce this change at a system-wide level, reboot the system.

Configuring the Behavior of Application Execution for Users

To help prevent flawed or malicious applications from revising a user's files, you can use Boolean values to specify whether users are permitted to run applications in directories for which they have write access, such as the user's home directory hierarchy and /tmp.

To enable Oracle Linux users in the guest_t and xguest_t domains to run applications in directories to which they have write access, thpe: 

sudo setsebool -P allow_guest_exec_content on
sudo setsebool -P allow_xguest_exec_content on

The following example shows how to prevent users in the staff_t and user_t domains from running applications in directories to which they have write access: 

sudo setsebool -P allow_staff_exec_content off
sudo setsebool -P allow_user_exec_content off

For more information, see Customizing SELinux Policies.