Difference between revisions of "Redhat: SELINUX Users"
Jump to navigation
Jump to search
| (One intermediate revision by the same user not shown) | |||
| Line 34: | Line 34: | ||
|- | |- | ||
|unconfined_u || Full System Access | |unconfined_u || Full System Access | ||
| + | |- | ||
| + | |system_u|| Linux Services | ||
|- | |- | ||
|} | |} | ||
| Line 39: | Line 41: | ||
== Confining a user with SELinux == | == Confining a user with SELinux == | ||
| − | Regular users should be confined by SELinux. If and when user accounts are compromised, SELinux will limit any damage that can be done. To set user michael to the user_u role use the command below. | + | Regular users should be confined by SELinux. If and when user accounts are compromised, SELinux will limit any damage that can be done. To set user michael to the user_u role use the command below. |
| + | <syntaxhighlight> | ||
| + | semanage login -a -s user_u michael | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | This can be reversed using this command | ||
<syntaxhighlight> | <syntaxhighlight> | ||
| − | semanage login - | + | semanage -d michael |
| + | </syntaxhighlight> | ||
| + | |||
| + | == Confining all future users with SELinux == | ||
| + | |||
| + | To set all future users to the user_u role | ||
| + | |||
| + | <syntaxhighlight> | ||
| + | semanage login -m -S targeted -s "user_u" -r s0 __default__ | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | This modifies the targeted policy store and sets the MLS range to level s0. | ||
Latest revision as of 20:50, 17 August 2013
Default Regular Users
In RHEL 6 with a default insall, all regular "Default" users have the same privileges as the root user. This is shown using the semanage.
semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023This is confirmed when by running the id -Z command as a regular user:
Needs to be added
SELinux User Roles
| guest_u | No GUI, No Networking, no access to su or sudo |
| xguest_u | GUI, Networking only through firefox |
| user_u | GUI and Networking |
| staff_u | GUI, Networking and Sudo |
| unconfined_u | Full System Access |
| system_u | Linux Services |
Confining a user with SELinux
Regular users should be confined by SELinux. If and when user accounts are compromised, SELinux will limit any damage that can be done. To set user michael to the user_u role use the command below.
semanage login -a -s user_u michaelThis can be reversed using this command
semanage -d michaelConfining all future users with SELinux
To set all future users to the user_u role
semanage login -m -S targeted -s "user_u" -r s0 __default__This modifies the targeted policy store and sets the MLS range to level s0.