Building on your understanding from reading Section 2.10 SELinux Users and Roles, this section covers the specific
roles enabled for the targeted policy. As explained previously, roles are
not very active in the targeted policy, but can be an essential part of a
localized SELinux installation. You can see that
unconfined_t is in every role, which
significantly reduces the usefulness of roles in the targeted policy.
Using roles more extensively requires a change to the strict policy
paradigm, where every process runs in an individually considered domain.
Effectively, there are only two roles in the targeted policy:
system_r and
object_r. The initial role is
system_r, and everything else inherits
that role. The remaining roles are defined for compatibility purposes
between the targeted policy and strict policy.
Of the four roles, three are defined by the policy. The role
object_r is an implied role and is not
found in policy source. Since roles are created and populated by types
through one or more declarations in
$SELINUX_SRC/domains/*, there is not a single file that
declares all the roles. To generate the lists of types and their roles in
this section, the policy analysis tool apol was
used. Usage of this tool is explained in
Section 6.3 Using apol for Policy Analysis.
- system_r
This role is for all system processes except user
processes:
unconfined_t
httpd_t
httpd_sys_script_t
httpd_suexec_t
httpd_php_t
httpd_helper_t
dhcpd_t
ldconfig_t
mailman_queue_t
mailman_mail_t
mailman_cgi_t
system_mail_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
winbind_t
ypbind_t |
- user_r
This is the default user role for regular Linux users. In a strict
policy, individual users might be used, allowing for the users to
have special roles to do privileged operations. In the targeted
policy, all users run in a single domain:
- object_r
In SELinux, roles are not utilized for objects when RBAC is being
used. Roles are strictly for subjects. This is because roles are
task-oriented and they group together doers, which are subjects. For
this reason, all objects universally have the role
object_r, and the role is only used
as a placeholder in the label.
- sysadm_r
This is the system administrator role in a strict policy. In
such a policy, switching to the root user with su
gives you the role of sysadm_r. However, if you
login directly as the root user, you may default to
staff_r and still need to run
newrole -r sysadm_r before doing many system
administration tasks. In the targeted policy, the following retain
sysadm_r for compatibility:
unconfined_t
httpd_sys_script_t
httpd_helper_t
ldconfig_t
ndc_t |
Similar to the situation for roles, there is effectively only one user
identity in the targeted policy. The identity
user_u was chosen because
libselinux falls back to
user_u as the default SELinux user
identity. This occurs when there is no matching SELinux user for the Linux
user who is logging in. Using user_u as
the single user in the targeted policy makes it easier to switch to the
strict policy. The remaining users exist for compatibility with the
strict policy.
The one exception is the SELinux user root.
This user identity is picked up by login programs such as
su, and you may notice
root as the user identity in a process's
context. This occurs when the SELinux user
root starts daemons from the command
line, or restarts a daemon originally started by init.
Here is a brief look at the $SELINUX_SRC/users file.
Comments in /* */ are annotations from
this guide, all other content is original source from the
users file.
src/policy/users
# Each user has a set of roles that may be entered by
# processes with the users identity. The syntax of a user
# declaration is: #
# user username roles role_set [ ranges MLS_range_set ];
# system_u is the user identity for system processes and
# objects. There should be no corresponding Unix user
# identity for system_u, and a user process should never be
# assigned the system_u user identity.
user system_u roles system_r;
/* ^- user name ^- the role user name can have */
# user_u is a generic user identity for Linux users who have
# no SELinux user identity defined. Authorized for all
# roles in the (targeted) policy. sysadm_r is retained for
# compatibility, but could be dropped as long as userspace
# has no hardcoded dependency on it. user_u must be
# retained due to present userspace hardcoded dependency.
user user_u roles { user_r sysadm_r system_r };
/* ^-user name ^-set of roles the user name can have */
# root is retained as a separate user identity simply as a
# compatibility measure with the "strict" policy. It could
# be dropped and mapped to user_u but this allows existing
# file contexts that have "root" as the user identity to
# remain valid.
user root roles { user_r sysadm_r system_r };
/* ^user name ^- set of roles */ |