26
Chapter 2. SELinux Policy Overview
2.10.2. SELinux Users
SELinux user identities are different from UNIX identities. They are applied as part of the security
label and can be changed in real time under limited conditions. SELinux identities are not primarily
used in the targeted policy. In the targeted policy, processes and objects are
system_u
, and the default
for Linux users is
user_u
. When identities are part of the policy scheme, they are usually identical to
the Linux account name (UID), and are compiled into the policy. In such a strict policy, some system
accounts may run under a generic, unprivileged
user_u
identity, while other accounts have direct
identities in the policy database.
4
For a review of the roles and users, including a discussion of the
$SELINUX_SRC/users
file, refer to
Section 3.5 Understanding the Roles and Users in the Targeted Policy.
2.11. TE Rules   Constraints
These rules are defined in
$SELINUX_SRC/constraints
, and provide final and overarching con 
straints on the use of permissions that are enforced during runtime by the kernel security server. The
constraints are in the form of Boolean expressions. The expression must be satisfied for the given
permission to be granted.
For example, the following constraint pertains to a process transition. It says that when a transition
takes place, the user identity on the process must remain the same through the transition. If
httpd_t
tries to transition to
httpd_suexec_t
, the user identity
user_u
must remain the same. The exception
is if the source domain has the attribute
privuser
. It then has the privilege to change user identity:
constrain process transition ( u1 == u2 or t1 == privuser );
A constraint can make a restriction for the source and target based on type, role, or user identity. This
is different from the other rule types. TE rules use only types, while role
allow
rules use a pair of
roles.
This is from the
constraints
file and further explains syntax and constraints in the targeted policy:
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
#
| not expression
#
| expression and expression
#
| expression or expression
#
| u1 op u2
#
| r1 role_op r2
#
| t1 op t2
#
| u1 op names
#
| u2 op names
#
| r1 op names
#
| r2 op names
#
| t1 op names
#
| t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
4. Linux UIDs and SELinux user identities should match because login and similar applications will try to
look up the match. If it fails to find a match, it will fall back to user_u.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved