SELinux/Tutorials/Creating a user domain

Creating a user domain
In this tutorial the focus is on creating a user domain. By default, SELinux on Gentoo comes with a number of SELinux users and roles, but more can be added to tailor the SELinux permissions to the purpose of the system. In this tutorial, a mail administrator user will be created that has administrative rights on the Postfix infrastructure.

Creating the user module
The first step is to create a user module, in this case. This module will contain the permissions to be granted to the user:

Build and load the module and verify that the user domain and role now exists:

Update context and type information
Before assigning the new user domain to a real Linux account, it is important to first configure SELinux contexts and types for it.

The first file we need to update is (substitute mcs with the policy store name that is active on the system). In it, SELinux is told what the default type is when a role is selected. In this case, when mailadm_r is selected, mailadm_t should be the default type:

The second file is one to create inside. The simplest method is to copy an existing user file (this is for SELinux users) and modify it for the new role.

Assign mailadm to the right Linux account
Finally, assign the newly created role to a Linux account.

First, create a SELinux user on which the role and type are mapped. This user is mailadm_u (which is also the name of the file created in previously.

Next, map this user to the Linux account. For instance, if the Linux account is user1234 then this is accomplished like so:

Finally, reset the contexts of this users' home directory:

What to remember
Creating a SELinux user is a matter of the following simple steps:
 * 1) Create the module which adds in the rights
 * 2) Create the SELinux user which is allowed the role(s) previously created
 * 3) Update the SELinux contexts to recognize the new user
 * 4) Map the Linux account(s) to the new SELinux user