Handling SELinux roles
We saw how SELinux users define the role(s) that a user can hold. But how does SELinux enforce which role a user logs in through? And when logged in, how can a user switch their active role?
Defining allowed SELinux contexts
To select the context assigned to a successfully authenticated user, SELinux introduces the notion of a default context. Based on the context of the service through which a user logs in (or through which the user executes commands), the system selects the right user context.
Inside the /etc/selinux/targeted/contexts
directory, a file called default_contexts
exists. Each line in this file starts with the SELinux context information of the parent process and is then followed by an ordered list of all the contexts that could be picked based on the user's allowed SELinux role(s).
Consider the following line of code for the sshd_t
context:
system_r:sshd_t:s0 user_r:user_t:s0 \ ...