UserStatements
User Statement
user Statement
The user statement is used to declare an SELinux user identifier within the policy and associate that to one or more roles. The statement also allows an optional MLS level and range to control a users security level. It is also possible to add SELinux user id's outside the policy using the 'semanage user' command that will associate the user with roles previously declared within the policy.
The statement definition is:
user seuser_id roles role_id;
Or for MCS/MLS Policy:
user seuser_id roles role_id level mls_level range mls_range;
Where:
user | The user keyword. |
seuser_id | The SELinux user identifier. |
roles | The roles keyword. |
role_id | One or more previously declared role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces ({}). |
level | If MLS is configured, the MLS level keyword. |
mls_level | The users default MLS security level that has been previously declared with a level Statement.
Note that the compiler only accepts the sensitivity component of the level (e.g. s0). |
range | If MLS is configured, the MLS range keyword. |
mls_range | The range of security levels that the user can run. The format is described in the MLS range Definition section. |
The statement is valid in:
Example:
# Using the user statement to define an SELinux user user_u that # has been assigned the role of user_r. The SELinux user_u is a # generic user identity for Linux users who have no specific # SELinux user identity defined. # user user_u roles { user_r };
MLS Examples:
# Using the user statement to define an MLS SELinux user user_u # that has been assigned the role of user_r and has a default # login security level of s0 assigned, and is only allowed access # to the s0 range of security levels. user user_u roles { user_r } level s0 range s0;
# Using the user statement to define an MLS SELinux user # sysadm_u that has been assigned the role of sysadm_r and has # a default login security level of s0 assigned, and is # allowed access to the range of security levels (low - high) # between s0 and s15:c0.c255 user sysadm_u roles { sysadm_r } level s0 range s0 - s15:c0.c255;
semanage(8) Command example:
# Add user mque_u to SELinux and associate to the unconfined_r # role: semanage user -a -R unconfined_r mque_u
This command will produce the following files in the default <policy_name> policy store and then activate the policy:
/etc/selinux/<policy_name>/modules/active/users.local:
# This file is auto-generated by libsemanage # Do not edit directly. user mque_u roles { unconfined_r } ;
/etc/selinux/<policy_name>/modules/active/users_extra:
# This file is auto-generated by libsemanage # Do not edit directly. user mque_u prefix user;
/etc/selinux/<policy_name>/modules/active/users_extra.local:
# This file is auto-generated by libsemanage # Do not edit directly. user mque_u prefix user;