Redhat: SELINUX Users

From Define Wiki
Revision as of 20:50, 17 August 2013 by Michael (talk | contribs) (→‎SELinux User Roles)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Default Regular Users

In RHEL 6 with a default insall, all regular "Default" users have the same privileges as the root user. This is shown using the semanage. 

semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

This is confirmed when by running the id -Z command as a regular user: 

Needs to be added


SELinux User Roles

guest_u No GUI, No Networking, no access to su or sudo
xguest_u GUI, Networking only through firefox
user_u GUI and Networking
staff_u GUI, Networking and Sudo
unconfined_u Full System Access
system_u Linux Services

Confining a user with SELinux

Regular users should be confined by SELinux. If and when user accounts are compromised, SELinux will limit any damage that can be done. To set user michael to the user_u role use the command below. 

semanage login -a -s user_u michael

This can be reversed using this command 

semanage -d michael

Confining all future users with SELinux

To set all future users to the user_u role 

semanage login -m -S targeted -s "user_u" -r s0 __default__

This modifies the targeted policy store and sets the MLS range to level s0.

Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Redhat:_SELINUX_Users&oldid=3147"