UserStatements

From SELinux Wiki
Revision as of 15:23, 29 November 2009 by RichardHaines (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

User Statement

user Statement

The user statement is used to declare an SELinux user identifier within the policy and associate that to one or more roles. The statement also allows an optional MLS level and range to control a users security level. It is also possible to add SELinux user id's outside the policy using the 'semanage user' command that will associate the user with roles previously declared within the policy.


The statement definition is:

user seuser_id roles role_id;

Or for MCS/MLS Policy:

user seuser_id roles role_id level mls_level range mls_range;


Where:

user The user keyword.
seuser_id The SELinux user identifier.
roles The roles keyword.
role_id One or more previously declared role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces ({}).
level If MLS is configured, the MLS level keyword.
mls_level The users default MLS security level that has been previously declared with a level Statement.

Note that the compiler only accepts the sensitivity component of the level (e.g. s0).

range If MLS is configured, the MLS range keyword.
mls_range The range of security levels that the user can run. The format is described in the MLS range Definition section.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
Yes
Conditional Policy (if) Statement
optional Statement
require Statement
No
Yes
Yes


Example:

# Using the user statement to define an SELinux user user_u that
# has been assigned the role of user_r. The SELinux user_u is a 
# generic user identity for Linux users who have no specific 
# SELinux user identity defined. 
#

user user_u roles { user_r };


MLS Examples:

# Using the user statement to define an MLS SELinux user user_u 
# that has been assigned the role of user_r and has a default 
# login security level of s0 assigned, and is only allowed access
# to the s0 range of security levels.

user user_u roles { user_r } level s0 range s0;
# Using the user statement to define an MLS SELinux user 
# sysadm_u that has been assigned the role of sysadm_r and has 
# a default login security level of s0 assigned, and is 
# allowed access to the range of security levels (low - high)
# between s0 and s15:c0.c255

user sysadm_u roles { sysadm_r } level s0 range s0 - s15:c0.c255;


semanage(8) Command example:

# Add user mque_u to SELinux and associate to the unconfined_r 
# role:

semanage user -a -R unconfined_r mque_u


This command will produce the following files in the default <policy_name> policy store and then activate the policy:

/etc/selinux/<policy_name>/modules/active/users.local:

# This file is auto-generated by libsemanage
# Do not edit directly.

user mque_u roles { unconfined_r } ;

/etc/selinux/<policy_name>/modules/active/users_extra:

# This file is auto-generated by libsemanage
# Do not edit directly.

user mque_u prefix user;

/etc/selinux/<policy_name>/modules/active/users_extra.local:

# This file is auto-generated by libsemanage
# Do not edit directly.

user mque_u prefix user;