44


Chapter 3. Targeted Policy Overview


object_r


In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for


subjects. This is because roles are task oriented and they group together doers, which are sub 


jects. For this reason, all objects universally have the role


object_r


, and the role is only used


as a placeholder in the label.


sysadm_r


This is the system administrator role in a strict policy. In such a policy, switching to the root user


with


su


gives you the role of


sysadm_r


. However, if you login directly as the root user, you may


default to


staff_r


and still need to run


newrole  r sysadm_r


before doing many system


administration tasks. In the targeted policy, the following retain


sysadm_r


for compatibility:


unconfined_t


httpd_sys_script_t


httpd_helper_t


ldconfig_t


ndc_t


Similar to the situation for roles, there is effectively only one user identity in the targeted policy. The


identity


user_u


was chosen because


libselinux


falls back to


user_u


as the default SELinux user


identity. This occurs when there is no matching SELinux user for the Linux user who is logging in.


Using


user_u


as the single user in the targeted policy makes it easier to switch to the strict policy.


The remaining users exist for compatibility with the strict policy.


2


The one exception is the SELinux user


root


. This user identity is picked up by login programs such


as


su


, and you may notice


root


as the user identity in a process's context. This occurs when the


SELinux user


root


starts daemons from the command line, or restarts a daemon originally started by


init


.


Here is a brief look at the


$SELINUX_SRC/users


file. Comments in


/* */


are annotations from this


guide, all other content is original source from the


users


file.


src/policy/users


# Each user has a set of roles that may be entered by


# processes with the users identity.


The syntax of a user


# declaration is: #


#


user username roles role_set [ ranges MLS_range_set ];


# system_u is the user identity for system processes and


# objects.


There should be no corresponding Unix user


# identity for system_u, and a user process should never be


# assigned the system_u user identity.


user system_u roles system_r;


/*


^  user name


^  the role user name can have


*/


# user_u is a generic user identity for Linux users who have


# no SELinux user identity defined.


Authorized for all


# roles in the (targeted) policy.


sysadm_r is retained for


# compatibility, but could be dropped as long as userspace


# has no hardcoded dependency on it.


user_u must be


# retained due to present userspace hardcoded dependency.


user user_u roles { user_r sysadm_r system_r };


/*


^ user name


^ set of roles the user name can have


*/


2. A user aliasing mechanism would work here, as well, to alias all identities from the strict policy to a single


user identity in the targeted policy.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved