44
Chapter 3. Targeted Policy Overview
object_r
In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for
subjects. This is because roles are task oriented and they group together doers, which are sub
jects. For this reason, all objects universally have the role
object_r
, and the role is only used
as a placeholder in the label.
sysadm_r
This is the system administrator role in a strict policy. In such a policy, switching to the root user
with
su
gives you the role of
sysadm_r
. However, if you login directly as the root user, you may
default to
staff_r
and still need to run
newrole r sysadm_r
before doing many system
administration tasks. In the targeted policy, the following retain
sysadm_r
for compatibility:
unconfined_t
httpd_sys_script_t
httpd_helper_t
ldconfig_t
ndc_t
Similar to the situation for roles, there is effectively only one user identity in the targeted policy. The
identity
user_u
was chosen because
libselinux
falls back to
user_u
as the default SELinux user
identity. This occurs when there is no matching SELinux user for the Linux user who is logging in.
Using
user_u
as the single user in the targeted policy makes it easier to switch to the strict policy.
The remaining users exist for compatibility with the strict policy.
2
The one exception is the SELinux user
root
. This user identity is picked up by login programs such
as
su
, and you may notice
root
as the user identity in a process's context. This occurs when the
SELinux user
root
starts daemons from the command line, or restarts a daemon originally started by
init
.
Here is a brief look at the
$SELINUX_SRC/users
file. Comments in
/* */
are annotations from this
guide, all other content is original source from the
users
file.
src/policy/users
# Each user has a set of roles that may be entered by
# processes with the users identity.
The syntax of a user
# declaration is: #
#
user username roles role_set [ ranges MLS_range_set ];
# system_u is the user identity for system processes and
# objects.
There should be no corresponding Unix user
# identity for system_u, and a user process should never be
# assigned the system_u user identity.
user system_u roles system_r;
/*
^ user name
^ the role user name can have
*/
# user_u is a generic user identity for Linux users who have
# no SELinux user identity defined.
Authorized for all
# roles in the (targeted) policy.
sysadm_r is retained for
# compatibility, but could be dropped as long as userspace
# has no hardcoded dependency on it.
user_u must be
# retained due to present userspace hardcoded dependency.
user user_u roles { user_r sysadm_r system_r };
/*
^ user name
^ set of roles the user name can have
*/
2. A user aliasing mechanism would work here, as well, to alias all identities from the strict policy to a single
user identity in the targeted policy.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved