Difference between revisions of "UserStatements"
From SELinux Wiki
(New page: = User Statement = == user Statement == The user statement is used to declare an SELinux user identifier within the policy and associate that to one or more roles. The statement also allow...) |
|||
| Line 65: | Line 65: | ||
|- | |- | ||
| − | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
| − | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
| − | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
| Line 79: | Line 79: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
| − | + | # Using the user statement to define an SELinux user user_u that | |
| − | + | # has been assigned the role of user_r. The SELinux user_u is a | |
| − | + | # generic user identity for Linux users who have no specific | |
| − | + | # SELinux user identity defined. | |
| − | + | # | |
user user_u roles { user_r }; | user user_u roles { user_r }; | ||
| Line 91: | Line 91: | ||
'''MLS Examples:''' | '''MLS Examples:''' | ||
<pre> | <pre> | ||
| − | + | # Using the user statement to define an MLS SELinux user user_u | |
| − | + | # that has been assigned the role of user_r and has a default | |
| − | + | # login security level of s0 assigned, and is only allowed access | |
| − | + | # to the s0 range of security levels. | |
user user_u roles { user_r } level s0 range s0; | user user_u roles { user_r } level s0 range s0; | ||
| Line 100: | Line 100: | ||
<pre> | <pre> | ||
| − | + | # Using the user statement to define an MLS SELinux user | |
| − | + | # sysadm_u that has been assigned the role of sysadm_r and has | |
| − | + | # a default login security level of s0 assigned, and is | |
| − | + | # allowed access to the range of security levels (low - high) | |
| − | + | # between s0 and s15:c0.c255 | |
user sysadm_u roles { sysadm_r } level s0 range s0 - s15:c0.c255; | user sysadm_u roles { sysadm_r } level s0 range s0 - s15:c0.c255; | ||
| Line 112: | Line 112: | ||
'''semanage(8) Command example:''' | '''semanage(8) Command example:''' | ||
<pre> | <pre> | ||
| − | + | # Add user mque_u to SELinux and associate to the unconfined_r role: | |
| − | + | ||
semanage user -a -R unconfined_r mque_u | semanage user -a -R unconfined_r mque_u | ||
</pre> | </pre> | ||
| − | |||
This command will produce the following files in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | This command will produce the following files in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | ||
| Line 123: | Line 121: | ||
<nowiki>/etc/selinux/<policy_name>/modules/active/users.local:</nowiki> | <nowiki>/etc/selinux/<policy_name>/modules/active/users.local:</nowiki> | ||
<pre> | <pre> | ||
| − | + | # This file is auto-generated by libsemanage | |
| − | + | # Do not edit directly. | |
user mque_u roles { unconfined_r } ; | user mque_u roles { unconfined_r } ; | ||
| Line 131: | Line 129: | ||
<nowiki>/etc/selinux/<policy_name>/modules/active/users_extra:</nowiki> | <nowiki>/etc/selinux/<policy_name>/modules/active/users_extra:</nowiki> | ||
<pre> | <pre> | ||
| − | + | # This file is auto-generated by libsemanage | |
| − | + | # Do not edit directly. | |
user mque_u prefix user; | user mque_u prefix user; | ||
| Line 139: | Line 137: | ||
<nowiki>/etc/selinux/<policy_name>/modules/active/users_extra.local:</nowiki> | <nowiki>/etc/selinux/<policy_name>/modules/active/users_extra.local:</nowiki> | ||
<pre> | <pre> | ||
| − | + | # This file is auto-generated by libsemanage | |
| − | + | # Do not edit directly. | |
user mque_u prefix user; | user mque_u prefix user; | ||
</pre> | </pre> | ||
| + | |||
| + | |||
| + | {| style="width: 100%;" border="0" | ||
| + | |- | ||
| + | | [[DefaultRules | '''Previous''']] | ||
| + | | <center>[[NewUsers | '''Home''']]</center> | ||
| + | | <center>[[RoleStatements | '''Next''']]</center> | ||
| + | |} | ||
| + | |||
| + | ---- | ||
| + | <references/> | ||
| + | |||
| + | [[Category:Notebook]] | ||
Revision as of 14:05, 11 December 2014
User Statement
user Statement
The user statement is used to declare an SELinux user identifier within the policy and associate that to one or more roles. The statement also allows an optional MLS level and range to control a users security level. It is also possible to add SELinux user id's outside the policy using the 'semanage user' command that will associate the user with roles previously declared within the policy.
The statement definition is:
user seuser_id roles role_id;
Or for MCS/MLS Policy:
user seuser_id roles role_id level mls_level range mls_range;
Where:
| user | The user keyword. |
| seuser_id | The SELinux user identifier. |
| roles | The roles keyword. |
| role_id | One or more previously declared role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces ({}). |
| level | If MLS is configured, the MLS level keyword. |
| mls_level | The users default MLS security level that has been previously declared with a level Statement.
Note that the compiler only accepts the sensitivity component of the level (e.g. s0). |
| range | If MLS is configured, the MLS range keyword. |
| mls_range | The range of security levels that the user can run. The format is described in the MLS range Definition section. |
The statement is valid in:
| |
|
|
Example:
# Using the user statement to define an SELinux user user_u that
# has been assigned the role of user_r. The SELinux user_u is a
# generic user identity for Linux users who have no specific
# SELinux user identity defined.
#
user user_u roles { user_r };
MLS Examples:
# Using the user statement to define an MLS SELinux user user_u
# that has been assigned the role of user_r and has a default
# login security level of s0 assigned, and is only allowed access
# to the s0 range of security levels.
user user_u roles { user_r } level s0 range s0;
# Using the user statement to define an MLS SELinux user
# sysadm_u that has been assigned the role of sysadm_r and has
# a default login security level of s0 assigned, and is
# allowed access to the range of security levels (low - high)
# between s0 and s15:c0.c255
user sysadm_u roles { sysadm_r } level s0 range s0 - s15:c0.c255;
semanage(8) Command example:
# Add user mque_u to SELinux and associate to the unconfined_r role: semanage user -a -R unconfined_r mque_u
This command will produce the following files in the default <policy_name> policy store and then activate the policy:
/etc/selinux/<policy_name>/modules/active/users.local:
# This file is auto-generated by libsemanage
# Do not edit directly.
user mque_u roles { unconfined_r } ;
/etc/selinux/<policy_name>/modules/active/users_extra:
# This file is auto-generated by libsemanage # Do not edit directly. user mque_u prefix user;
/etc/selinux/<policy_name>/modules/active/users_extra.local:
# This file is auto-generated by libsemanage # Do not edit directly. user mque_u prefix user;
| Previous | |
|
