SELinux users and roles
Within SELinux systems, the moment a user logs in, the login system checks which SELinux user his or her login is mapped to. Then, when a SELinux user is found, the system looks up the role and domain that the user should be in and sets that as the user's context.
Listing SELinux user mappings
When logged in to the system, we can use id -Z
to obtain the current SELinux context. For many users, this context will be unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
, regardless of their username. If not that, it will be a context based on one of sysadm_u
, staff_u
, or user_u
. This is because the majority of Linux distributions will only provide a limited set of SELinux users by default, aligned with the SELinux roles that they support.
When the login process is triggered, a local definition file will be checked to see which SELinux user is mapped to the Linux account. Let's take a look at the existing login mappings using semanage login -l
. The following output is the...