Difference between revisions of "NB USERS"

From SELinux Wiki
Jump to: navigation, search
(New page: = SELinux Users = Users in GNU / Linux are generally associated to human users (such as Alice and Bob) or operator/system functions (such as admin), while this can be implemented in SELinu...)
 
 
Line 2: Line 2:
 
Users in GNU / Linux are generally associated to human users (such as Alice and Bob) or operator/system functions (such as admin), while this can be implemented in SELinux, SELinux user names are generally groups or classes of user. For example all the standard system users could be assigned an SELinux user name of <tt>user_u</tt> and administration staff under <tt>staff_u</tt>.  
 
Users in GNU / Linux are generally associated to human users (such as Alice and Bob) or operator/system functions (such as admin), while this can be implemented in SELinux, SELinux user names are generally groups or classes of user. For example all the standard system users could be assigned an SELinux user name of <tt>user_u</tt> and administration staff under <tt>staff_u</tt>.  
  
There is one special SELinux user defined in the Refernce Policy that must never be associated to a GNU / Linux user as it a special identity for system processes and objects, this user is system_u.
+
There is one special SELinux user defined in the [[NB_RefPolicy | Reference Policy]] that must never be associated to a GNU / Linux user as it a special identity for system processes and objects, this user is system_u.
  
 
The SELinux user name is the first component of a 'security context' and by convention SELinux user names end in '<tt>_u</tt>', however this is not enforced by any SELinux service (i.e. it is only to identify the user component), although CIL with namespaces does make identification of an SELinux user easier for example a 'user' could be declared as <tt>unconfined.user</tt>.  
 
The SELinux user name is the first component of a 'security context' and by convention SELinux user names end in '<tt>_u</tt>', however this is not enforced by any SELinux service (i.e. it is only to identify the user component), although CIL with namespaces does make identification of an SELinux user easier for example a 'user' could be declared as <tt>unconfined.user</tt>.  
  
 
It is possible to add constraints and bounds on SELinux users as discussed in the [[NB_TE | Type Enforcement]] section.
 
It is possible to add constraints and bounds on SELinux users as discussed in the [[NB_TE | Type Enforcement]] section.
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[NB_MAC | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[NB_RBAC | '''Next''']]</center>
 +
|}
  
  

Latest revision as of 13:21, 7 December 2014

SELinux Users

Users in GNU / Linux are generally associated to human users (such as Alice and Bob) or operator/system functions (such as admin), while this can be implemented in SELinux, SELinux user names are generally groups or classes of user. For example all the standard system users could be assigned an SELinux user name of user_u and administration staff under staff_u.

There is one special SELinux user defined in the Reference Policy that must never be associated to a GNU / Linux user as it a special identity for system processes and objects, this user is system_u.

The SELinux user name is the first component of a 'security context' and by convention SELinux user names end in '_u', however this is not enforced by any SELinux service (i.e. it is only to identify the user component), although CIL with namespaces does make identification of an SELinux user easier for example a 'user' could be declared as unconfined.user.

It is possible to add constraints and bounds on SELinux users as discussed in the Type Enforcement section.


Previous
Home
Next