CentOS 7 – SELinux users

How to install docker on windows 10

As explained before, SELinux users are different from normal Linux users. SELinux users are defined in the policy that’s loaded into the memory at boot time, and there are only a few of these users.

After SELinux is enforced, each regular user account is mapped to a SELinux user account. There can be multiple user accounts mapped to the same SELinux user. This enables the normal user account to inherit the permission of its SELinux counterpart.

To view the mapping, we will run the following command:


semanage login -l

Here, we will find that there are only three Login Names as shown in the preceding screenshot representing the Linux user accounts. Any Linux user is mapped to the entry shown as __default__ here. The user root is not mapped to default, instead it has its own entry and there is system_u for the running processes or services. The second column indicates the SELinux user they are mapped to. Normal user accounts and roots are mapped to unconfined_u, whereas the processes and services are mapped to the system_u SELinux user. For now, ignore the third column, which shows the Multi-Level Security ( MLS) Multi Category Security (MCS) class for the user, and the last column (service) as well.

To see the SELinux users that are available in the system, use the semanage user command as follows:


semanage user -l

The table in the preceding screenshot shows the SELinux users available in the system and the roles they have access to. We already discussed that SELinux roles are like gateways between a user and a process. We also compared them to filters, where a user can enter a role, provided the role grants it. If a role is authorized to access a process domain, the users associated with that role will be able to enter that process domain.

Now, run the id -Z command as the root user. It will show the SELinux security context for the root:

So, the root user is mapped to the unconfined_t SELinux user, which is authorized to the unconfined_r role, which in turn is authorized to run processes in the unconfined_t domain.

We already saw that there are several SELinux users available in the system. Let’s discuss some of them here:

  • guest_u: This type of user doesn’t have access to the X Windows system or networking and also cannot execute the su or sudo commands
  • xguest_u: This type of user has access to GUI and the network via the browser only
  • user_u: This type of user has general access to GUI and the network but cannot run su or sudo
  • staff_u: This is the same as user_u except that they can run sudo.
  • system_u: This is meant for system services and are not mapped with regular user accounts

Comments are closed.