26


Chapter 2. SELinux Policy Overview


2.10.2. SELinux Users


SELinux user identities are different from UNIX identities. They are applied as part of the security


label and can be changed in real time under limited conditions. SELinux identities are not primarily


used in the targeted policy. In the targeted policy, processes and objects are


system_u


, and the default


for Linux users is


user_u


. When identities are part of the policy scheme, they are usually identical to


the Linux account name (UID), and are compiled into the policy. In such a strict policy, some system


accounts may run under a generic, unprivileged


user_u


identity, while other accounts have direct


identities in the policy database.


4


For a review of the roles and users, including a discussion of the


$SELINUX_SRC/users


file, refer to


Section 3.5 Understanding the Roles and Users in the Targeted Policy.


2.11. TE Rules   Constraints


These rules are defined in


$SELINUX_SRC/constraints


, and provide final and overarching con 


straints on the use of permissions that are enforced during runtime by the kernel security server. The


constraints are in the form of Boolean expressions. The expression must be satisfied for the given


permission to be granted.


For example, the following constraint pertains to a process transition. It says that when a transition


takes place, the user identity on the process must remain the same through the transition. If


httpd_t


tries to transition to


httpd_suexec_t


, the user identity


user_u


must remain the same. The exception


is if the source domain has the attribute


privuser


. It then has the privilege to change user identity:


constrain process transition ( u1 == u2 or t1 == privuser );


A constraint can make a restriction for the source and target based on type, role, or user identity. This


is different from the other rule types. TE rules use only types, while role


allow


rules use a pair of


roles.


This is from the


constraints


file and further explains syntax and constraints in the targeted policy:


# Define the constraints


#


# constrain class_set perm_set expression ;


#


# expression : ( expression )


#


| not expression


#


| expression and expression


#


| expression or expression


#


| u1 op u2


#


| r1 role_op r2


#


| t1 op t2


#


| u1 op names


#


| u2 op names


#


| r1 op names


#


| r2 op names


#


| t1 op names


#


| t2 op names


#


# op : == | !=


# role_op : == | != | eq | dom | domby | incomp


#


# names : name | { name_list }


4. Linux UIDs and SELinux user identities should match because login and similar applications will try to


look up the match. If it fails to find a match, it will fall back to user_u.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved