SELinux/Users and logins

In an SELinux context, the first part is called the SELinux user. The purpose of a SELinux user is to have an immutable part in a context (i.e. one that the user cannot change himself) both to assist in auditing (who did what) as well as access controls (users cannot work around SELinux user based restrictions). But a SELinux user is not the same as a Linux account. For that, user mappings are put in place that map a Linux user to a SELinux user.

Introduction
The relation between SELinux users, Linux accounts, SELinux roles and the supported domains is shown in the following drawing.



SELinux users
A SELinux user is an identifier that administrators can use to limit which SELinux roles can be used. A Linux account is mapped to one (and only one) SELinux user, whereas a SELinux user can be linked to multiple roles.

As shown in the drawing above, SELinux users define which roles can be used. As roles define the privileges of a user, this is effectively used to limit the ability of users to run or execute particular applications. One of the supported domains,, is meant for the   application which allows users to switch roles. As the  SELinux user does not need to switch roles, the   role is not allowed to use the   domain.
 * The  SELinux user linked with the   role. This role is allowed to run non-administrative applications (the set of supported SELinux domains).
 * The  SELinux user on the other hand is linked with both the   role and   role. That means that users mapped to the   SELinux user can switch between those two roles.

Let's take a look at the set of SELinux users enabled by default.