SELinux/Tutorials/Defining SELinux users

From Gentoo Wiki
Jump to: navigation, search

Defining SELinux users

In the previous tutorial, we briefly touched SELinux users as to explain how SELinux roles work. In this tutorial, we're going to focus on the SELinux user aspect itself.

The SELinux user part in the context

If we go back to the current user context, then we already know that the second field is the role and the third field the domain.

user $id -Z
user_u:user_r:user_t

You have probably already guessed that the first field is the SELinux user.

Just like with the SELinux role (which defines what the possible domains are), it is the SELinux user that defines what the possible roles are.

Roles assigned to an SELinux user

The roles that are assigned to a particular SELinux user can be seen from semanage user -l.

root #semanage user -l
SELinux User    SELinux Roles

root            staff_r sysadm_r
staff_u         staff_r sysadm_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r

But unlike with the roles and their influence on the domains, we can change which roles are assigned to what SELinux user. We'll get to that later in this tutorial, let's first look at the difference between a user account and an SELinux user.

Linux accounts versus SELinux users

It is important to know that an SELinux user is not a Linux account or vice versa. Linux accounts are mapped to SELinux users, most of the time in a many-to-few relationship. In other words, many Linux accounts will, if they are logged on to a system, be running as the same SELinux user. This is not mandatory though - you can create separate SELinux accounts for each Linux user, but if all these users have similar rights, it would only incur overhead.

You can see the mapping of Linux accounts to SELinux users using semanage login -l.

root #semanage login -l

Login Name                SELinux User             

__default__               user_u
root                      root
swift                     staff_u
system_u                  system_u

In the above example, there is

  • the root user, which is mapped to the root SELinux user
  • the swift account, which is mapped to the staff_u SELinux user
  • the special system_u account (which doesn't exist - it is a special definition for system daemons)
  • the special __default__ account (which doesn't exist) which plays the role of the catch-all account

The catch-all account __default__ here ensures that all newly created Linux account users are mapped to the (unprivileged) user_u SELinux user.

If you notice any Login Name that starts with the percentage sign (%), then it means that it is not about the Linux account, but the primary group. For instance:

root #semanage login -l | grep oper
%operators                staff_u

In the above case, all users whose primary group is the operators group will be mapped to the staff_u user.

Manipulating SELinux user information

As mentioned before, we can update this information - both the mapping towards SELinux user as the associated roles with an SELinux user.

Managing login mappings

First of all, to manage login mappings, we use the semanage login set of commands.

For instance, to create the operators group mapping:

root #semanage login -a -s staff_u %operators

Removing mappings is done with the -d instead of -a option. You can also modify a mapping using -m.

However, if you change a mapping for a user that already owns files on the file system, it is very important to reset the context of these files completely (i.e. using -F with restorecon) or set the new SELinux owner and role using chcon.

root #chcon -R -u staff_u -r staff_r /home/oper

If not, then the files are owned by the 'wrong' SELinux user which might cause permission troubles later on.

Managing user to role mappings

Similar as with the login mappings, we now use semanage user to modify the user/role mappings.

For instance, to create a new SELinux user called infra_u and grant it the staff_r and sysadm_r roles:

root #semanage user -a -R "staff_r sysadm_r" infra_u

Properties of an SELinux user

The SELinux user feature in SELinux has a few interesting properties.

Generally speaking, SELinux user information is never changed in a session. This isn't SELinux itself per se that dictates it, but is implemented as policy rules. There are a few deviations to this (such as when starting services), but are closely guarded policy-wise. Unlike the effective user id of a session, which can be changed using tools like su or sudo, the SELinux user information thus remains the same. This makes it possible for improved auditing, but it is mostly a security measure (to make sure that someone can never change their role to a role that they shouldn't be in).

SELinux users also allow for specific, additional constraints to be put. One of these is user based access control which, roughly speaking, ensures that files owned by one SELinux user can never be accessed by another SELinux user (but sysadm_u, root and system_u are exempt from this) if that file has a context with the ubac_constrained_type attribute assigned to it.

What you need to remember

What you should remember from this tutorial is that

  • SELinux users define what roles a user is allowed to go to
  • Linux accounts are mapped to SELinux users (but they are not the same) in a many-to-few relationship (usually)
  • the semanage login and semanage user set of commands are used to manipulate these settings
  • SELinux user information rarely changes in a session (mostly only when services are launched where they become system_u)