From SELinux Wiki
Revision as of 13:21, 7 December 2014 by RichardHaines (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

SELinux Users

Users in GNU / Linux are generally associated to human users (such as Alice and Bob) or operator/system functions (such as admin), while this can be implemented in SELinux, SELinux user names are generally groups or classes of user. For example all the standard system users could be assigned an SELinux user name of user_u and administration staff under staff_u.

There is one special SELinux user defined in the Reference Policy that must never be associated to a GNU / Linux user as it a special identity for system processes and objects, this user is system_u.

The SELinux user name is the first component of a 'security context' and by convention SELinux user names end in '_u', however this is not enforced by any SELinux service (i.e. it is only to identify the user component), although CIL with namespaces does make identification of an SELinux user easier for example a 'user' could be declared as unconfined.user.

It is possible to add constraints and bounds on SELinux users as discussed in the Type Enforcement section.