👉 Overview
👀 What ?
SELinux, or Security-Enhanced Linux, is a security architecture integrated into the Linux kernel. It is a feature that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC). SELinux users are the mapping between Linux users and SELinux user identities.
🧐 Why ?
SELinux is essential because it provides a finer grained control over system resources and processes. It helps to limit the potential damage that can be done by a malicious user or process, by controlling the actions that any particular process may take. SELinux users are important as they define what roles and domains a Linux user can transition into, effectively dictating what the user can and cannot do.
⛏️ How ?
Using SELinux users requires understanding of the SELinux policy in use on your system. Each policy may define its own set of users. Here are some steps to use SELinux users: 1) Use `semanage user -l` to list the SELinux users defined in your policy. 2) Use `semanage login -l` to view the mapping between Linux usernames and SELinux users. 3) To modify the mapping, use `semanage login -m -s SELinux_user Linux_username`. Remember, changes to SELinux can have serious implications on your system's security, so it is critical to understand what you are doing.
⏳ When ?
SELinux was first introduced in the Linux kernel 2.6, released in December 2003. It has since been integrated into many Linux distributions, with various levels of default enforcement.
⚙️ Technical Explanations
In SELinux, or Security-Enhanced Linux, users play a central role in determining access controls and permissions. Each Linux user is mapped to an SELinux user, which forms a part of the SELinux security context. This security context, in turn, identifies security attributes of both processes and objects.
It's critical to understand that an SELinux user isn’t the same as a traditional Linux user. Instead, an SELinux user is a component of the SELinux security model and plays a role in access control decisions. When a Linux user logs into a system, that user is mapped to an SELinux user, and from there, SELinux determines what policies apply.
SELinux users are associated with a set of roles, and each role can enter certain domains. A domain in this context is a label denoting a specific set of permissions or restrictions. It defines the allowed interactions with other types of objects.
So, you have a three-tiered mapping system: user-role-domain. This system provides a flexible mechanism for defining access controls. For example, a process running in a given domain has the permissions defined for that domain, regardless of the privileges of the Linux user who started the process. This separation, where a process's permissions are dictated by its domain rather than the initiating user's privileges, helps to limit the potential damage that can be done by a compromised process. This compartmentalization is key to the enhanced security provided by SELinux.
In order to effectively use SELinux users, one must understand the SELinux policy active on the system. Each policy may define its unique set of users. Commands such as semanage user -l to list the SELinux users, and semanage login -l to view the mapping between Linux usernames and SELinux users, are essential. Changes to SELinux can have serious implications on a system's security, thus it is critical to understand what each command and change implies.
To understand the use of SELinux users, consider this example:
- List SELinux Users: Begin by listing all SELinux users using the command
semanage user -l. This will provide you with a list of current SELinux users defined by your policy. For instance, you might see something like: - Map Linux User to SELinux User: A Linux user must be mapped to an SELinux user. To see this mapping, use
semanage login -l. This might return something like: - Modify the Mapping: To change the mapping, use the command
semanage login -m -s SELinux_user Linux_username. For example, if you want to map the Linux user 'test_user' to the SELinux user 'user_u', you would use:
SELinux User Roles
system_u system_r
user_u user_r
Here, system_u and user_u are SELinux users and system_r and user_r are their corresponding roles.
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root system_u s0-s0:c0.c1023
Here, the Linux user 'root' is mapped to the SELinux user 'system_u'. The Linux user has the privileges associated with 'system_u' in SELinux.
semanage login -m -s user_u test_user
After this, any sessions initiated by 'test_user' will have the SELinux user 'user_u' and the corresponding roles and permissions.
Remember, changes to SELinux can have significant implications for your system's security. Always ensure you understand the implications of any commands or changes.